Online invitation company Evite announced it was affected by a data breach involving the unauthorized access of customer information.
Evite learned of the incident in April 2019 and upon investigation, learned malicious activity started on February 22, 2019 when the unauthorized party acquired an inactive data storage file associated with the firm’s user accounts, according to a security update.
Names, usernames, email addresses, passwords, dates of birth, phone numbers, and mailing addresses were potentially affected in the incident.
Once the breach had been discovered, the firm notified the authorities and brought in an external forensics team to assess the situation and address any vulnerabilities in the system and remediate the incident.
Those affected are advised to change their password for any other account using shared credentials, review accounts for suspicious activity, be cautious of unsolicited communications that ask for personal data, and avoid clicking on the links or downloading attachments from suspicious emails.
Damien Radford, principal engineer at Bugcrowd told SC Media the Evite data breach isn’t unprecedented and the fact that it’s all old data likely means that someone made a backup of that data, or left an old database running that eventually got exposed via a vulnerability.
“ As a business, this goes back to the importance of understanding your attack surface - since those old skeletons, while old, are still skeletons,” Radford said.
“There is always the potential for exploitable data to exist in cold storage or backup formats created prior to business adopting a security posture as well. Therefore, it is extremely important for companies to ensure data retention policies include investigating and removing older backups, if no longer needed.”
He added that it’s equally important to realize that any form of personal information could be used in a phishing or social engineering attack and that just because an export doesn't contain a password does not mean it’s not exploitable.