Web hosting service Weebly has confirmed a major data breach, following a LeakedSource.com report stating that 43.4 million accounts were stolen from the company's main database in February 2016. This number would effectively comprise Weebly's entire 40 million-plus customer base.
In the same blog post on Thursday, the breach notification website also claimed that location-based social network Foursquare suffered a breach in December 2013 that affected 22.5 million users. Foursquare denies that any such incident occurred.
According to the report, LeakedSource.com acquired the stolen Weebly data from an anonymous source and found that it contains usernames, email addresses, passwords and IP addresses. Fortunately, the passwords were heavily encrypted.
“This mega breach affects not only tens of millions of users but tens of millions of websites and with Weebly being one of the most popular hosting platforms in the world, this breach could have been far more disastrous in the wrong hands had they not strongly hashed passwords,” read the blog post.
LeakedSource.com noted that it has been working with San Francisco-based Weebly while the company, which specializes in drag-and-drop website building capabilities, responds by resetting passwords and distributing breach notification emails.
“Weebly recently became aware that an unauthorized party obtained email addresses and/or usernames, IP addresses and encrypted (bcrypt hashed) passwords for a large number of customers,” read an official Weebly company statement sent to SCMagazine.com. At this point we do not have evidence of any customer website being improperly accessed. We do not store any full credit card numbers on Weebly servers, and at this time we're not aware that any credit card information that can be used for fraudulent charges was part of this incident.”
“Our security team, with support from outside security consultants, is working to protect our customers and to enhance our network protections. This includes initiating password resets, implementing new password requirements and a new dashboard that gives customers an overview of recent log-in history of their Weebly account to track account activity,” the statement continued.
In contrast to Weebly, New York-based Foursquare is disputing Foursquare's report. “As we've told others, we have done an internal investigation and no breach has occurred,” wrote a Foursquare spokesperson in an email to SCMagazine. “The evidence suggests that the outside source [LeakedSource.com] had their own pre-existing list of email addresses, and used that to lookup public profiles associated with each address. No passwords, credit card numbers, etc. were accessed.”
The spokesperson added that the company is not conducting any interviews “since nothing happened!”
“Thankfully, the company had encrypted passwords and there's no evidence that customer websites were impacted. But, the potential risk goes far beyond these Weebly accounts,” said Adam Levin, chairman and founder of identity protection firm IDT911, in emailed comments. “There were plenty of other pieces of sensitive, personal information exposed, including usernames and email addresses, that could lead to a world of hurt for the user.”
“ Email addresses and usernames are the foundation of our online identities, and typically contain significant information including numbers or other key personal information including birthdays, colleges or employers. Hackers can easily use these bits of information to figure out passwords, use as valuable context in phishing schemes or answer security questions to access all stripe of online accounts, including banks and social networks,” Levin continued.
"The ease of getting millions of stolen credentials, with the fact that users will always continue to reuse passwords simply because they are human, makes brute-force attacks more effective than ever and forces application providers to take proper measures to protect their users,” said Deepak Patel, director of security strategy for data and application security provider Imperva, in emailed comments. “As we see again in this case, data from breaches is hot merchandise on both sides of the legitimacy fence, with the security marketplace on one side and the dark market on the other.”
The LeakedSource.com blog post also cited a third breached company, Modern Business Solutions; however this incident had already been reported on Oct. 10 by Risk Based Security.