The outdoor and sports-centric website aggregator VerticalScope was hacked according to an industry watchdog with about 45 million records from more than 1,100 websites being taken and posted to the internet.
The compromised data was found by Leakedsource in February 2016 with the records discovered containing information such as email address, username, IP address and one or two passwords. Leakedsource.com is a search engine that scours a number of online sources looking for stolen or leaked records.
VerticalScope acquires and develops websites and forums covering a wide variety of sports, automotive and outdoor activities. Among the dozens of sites owned by the company are hotrodders.com, cadillacowners.com and motorcycle.com. All together the various sites and forums currently have almost 38 million registered members.
“Given the massive scale of this breach, it is also likely that VerticalScope stored all of their data on interconnected or even the same servers as there is no other way to explain a theft on such a large scale,” Leakedsource.com said.
In an undated statement on the VerticalScope site the company said it has made changes to its security arrangements due to the leak. These include minimum password rules, warnings to users to no use the same password as on other sites and forcing users to change passwords more frequently.
“We recently became aware of potential risks to community accounts (username, userid, encrypted password and email address) on many Forum online communities, including some owned and operated by VerticalScope,” the company said.
Leakedsource.com, said more than 40 million of the found records used an MD5 hash generator with some salting. Some of the most commonly found passwords in the data dump was 123456, password, 111111 and letmein.
Jason Hart, CTO of data protection at Gemalto, told SCMagazine.com in an email that improving password security is not enough.
“Consumers need to demand, and businesses need to provide, additional security beyond the password such as multi-factor authentication. Given the current security climate, all online companies should have multi-factor authentication activated by default for all online accounts,” he said.
Giving website visitors more information regarding exactly what level of security is being used to protect their information was suggested by Amit Ashbel, cyber security evangelist at Checkmarx.
“Following the basic OWASP top 10 guidelines would have prevented a lot of headaches for both users and VerticalScope by making sure that the stolen data has much less value.Maybe its time that websites are forced to indicate what security standards they follow to protect their user's data,” he said.