Weebly, a popular web-hosting service featuring a drag-and-drop website builder, has been breached, and email addresses/usernames, IP addresses and encrypted passwords for some 43 million users have been stolen.
Unfortunately, the company did not notice the breach when it happened, around February 2016. They were notified of it once LeakedSource got its hands on the stolen data.
“Unlike nearly every other hack, the co-founder and CTO of Weebly Chris Fanini fortunately did not have his head burried deeply in the sand and actually responded to our communication requests. We have been working with them to ensure the security of their users meaning password resets as well as notification emails are now being sent out,” the group noted.
Weebly also published a security update on the site, explaining what they did once they were made aware of the breach:
- Confirmed the authenticity of the data
- Called in security consultants to help with the investigation
- Reset passwords of affected users and notified them via email
- Took steps to enhance their network security to prevent future breaches
- Implemented tougher password requirements
- Set up a dashboard for users to monitor their log-in history.
According to their findings, no financial information that could be used for fraudulent charges has been stolen, and the company does not store full credit card numbers.
It’s also a great thing that they’ve kept user passwords encrypted.
“Accounts set up after June 1, 2011 have an encrypted password which security experts rank as an 8/10 on a safety scale. These passwords are encrypted using salted, bcrypt hashes, which helps protect them by encrypting the data (hashing) and adding a string of random information to each password (salting). This makes these passwords very hard to guess or crack,” they explained.
“Accounts set up before June 1, 2011 are using an older hashed password format, and these passwords have already been automatically reset as a safety precaution.”
The company has also advised users to be on the lookout for phishing emails impersonating the service, to change their Weebly password, and to change their passwords on other online accounts if they used the same one they used on Weebly.
“As with other recent data breaches, the full extent of the breach will not be known fully until many months down the road,” Spirion CEO Dr. Jo Webber commented for Help Net Security.
“In this particular case, Weebly understood that their customer information would be the inevitable target of an attack. They took certain steps to limit the manipulation of more than 40 million customer accounts and websites by ensuring key pieces of information such as credit card numbers and passwords were secured and stored properly.”
“Thankfully, the company had encrypted passwords and there’s no evidence that customer websites were impacted. But, the potential risk goes far beyond these Weebly accounts,” says Adam Levin, chairman of IDT911.
“There were plenty of other pieces of sensitive, personal information exposed, including usernames and email addresses, that could lead to a world of hurt for the user. Email addresses and usernames are the foundation of our online identities, and typically contain significant information including numbers or other key personal information including birthdays, colleges or employers. Hackers can easily use these bits of information to figure out passwords, use as valuable context in phishing schemes or answer security questions to access all stripe of online accounts, including banks and social networks.”