If you’ve ever registered with ClixSense – and millions have – you can consider all your personal information shared with the service compromised.
The company behind the popular Paid To Click site has been breached, the site (Clixsense.com) made to redirect to a gay porn site, its Microsoft Exchange server and webservers compromised, and an old database server containing users’ information pilfered some ten days ago.
The stolen information includes users’ name, email and IP address, home address, date of birth, sex, account balance, payment history, as well as their password in plaintext.
The company has confirmed the hack for Ars Technica, and had said that they have forced a password reset on all of its 6.6 million registered users.
Users who have reused the same password on other online accounts should change it there also, as well as be on the lookout for convincing phishing attempts by crooks using their stolen information.
It is a very realistic scenario, as the attackers are offering the account records for sale, along with emails exchanged by the company’s employees and the complete source code for the site.
They have released a sample of the stolen data, containing that of early users, as proof.
Unlike previous mega data breaches, this one is not old – the user database has been dumped earlier this month, so all the information contained in it should be up to date.
Of course, it’s possible that some users have entered incorrect information when asked, and given what’s happened, I say good on them.
“It has come to our attention that this hacker did get access to our database server for a short period of time. He was able to gain access to this not directly but instead through an old server we were no longer using that had a connection to our database server. (This server has since been terminated),” Clixsense explained in a post about the incident.
“He was able to copy most if not all of our users table, he ran some SQL code that changed the names on accounts to ‘hacked account’ and deleted many forum posts. He also set user balances to $0.00.”
After all that, the company had the nerve to say that the incident “has taught us that regardless of what you do to stay secure, it still may not be enough,” and that users’ “ClixSense account information is now much more secure.”
Nevermind that it should have been secure in the first place… Why was an old server that’s no longer in use still connected to their database server? And, for that matter, why did they store passwords in plain text? None of this inspires much confidence that they will “do” security better in the future.
But none of this matters much to the affected users: much of their personal info has been compromised, and there is no going back.