Online statistics portal Statista discovered a vulnerability in its administrative system that allowed an attacker to steal personal information on an estimated 50,000 customers.
How many victims? Roughly 50,000 based on an internal analysis, but Statista cannot yet confirm.
What type of personal information? Contact and order information, email addresses, usernames and encrypted passwords.
What happened? Statista has not discovered any actual traces of an attack, but based on an internal analysis, the company surmised that an attacker with knowledge of the system and vulnerability used brute force to attempt to copy and save all of the data sets bit by bit onto their own server.
What was the response? An investigation is ongoing internally and with law enforcement. Statista is having all its safety measures audited and is having them adapted accordingly. All impacted individuals will be notified and required to change their passwords.
Details: The company does not know exactly when the attack occurred, but spam messages addressed to internal email addresses began coming in on March 2. Statista immediately began an analysis of the database, during which it discovered the vulnerability and closed it within three hours. After a follow-up investigation, Statista began alerting customers on March 5.
Some of the passwords used older encryption without salt and are vulnerable to decryption, particularly if they are short.
Quote: “We have also filed a complaint with the German police against the unknown people who are responsible for this attack,” according to a Statista statement. “We currently have no information on the perpetrator or his or her motives for this attack.”
Source: An SCMagazine.com correspondence with Statista.