Verticalscope, a Canadian web discussion forum manager with over 45 million active customers, suffered a second data breach in as many years that compromised as many as 2.7 million customer accounts.
Verticalscope had suffered a catastrophic breach in 2016 that resulted in the loss of 45 million user account details, including passwords.
Verticalscope manages hundreds of popular web forums catering to varied fields like sports, automotive, health, hobby and outdoor activities and boasts of tens of millions of active users who visit its forums every day. In February last year, a hacker managed to breach the firm’s server and succeeded in stealing almost all user account details stored by the firm.
Following the initial breach, VerticalScope said that stolen details were limited to usernames, user IDs, email addresses, and encrypted passwords. However, over 40 million user passwords were secured using MD5 with salting and could be decrypted by anyone with the right tools. The firm then said that it would implement fresh security changes and a new password expiration policy to ensure the same would not happen again.
As it turns out, Verticalscope has been breached again, even though the number of stolen accounts this time are much fewer at 2.7 million. According to Krebs on Security, ‘evidence of the breach was discovered just before someone began using that illicit access as a commercial for a new paid search service that indexes consumer information exposed in corporate data breaches.’
The fresh breach was first discovered by security researcher Alex Holden who then informed Krebs on Security. When Holden contacted the hacker who was selling stolen details, he noticed that the latter was using a Web shell which is used by hackers to remotely administer sites and upload/delete content at will. The presence of the Web shell confirmed that Verticalscope had been hacked again. After it was contacted, the firm released a statement on the breach.
‘The intrusion granted access to each individual website files. Out of an abundance of caution, we have removed the file manager, expired all passwords on the 6 websites in question, added the malicious file pattern and attack vector to our detection tools, and taken additional steps to lock down access,’ it said.
The firm added that the latest cyber-attack targeted six of its sites, including Jeepforum.com and watchuseek.com, two popular web forums for automotive and wristwatch fans respectively.
‘People who re-use passwords across multiple Web sites tend to be those hardest-hit by these breaches, and by these dodgy password lookup services. It may not seem like a big deal if someone chooses to re-use the same password across a range of sites that don’t ask for or store your personal data, such as discussion forums.
‘The problem is that this encourages poor password habits, and for many folks this eventually results in using that forum password at more important sites that do store sensitive data,’ noted Krebs on Security.
‘Password managers can help users pick and remember unique, strong passwords for all sites that require a login; all the user needs to do is remember a single “master password” to unlock all the others,’ the firm added.