The drag-and-drop website builder Weebly yesterday began notifying most of its more than 40 million users that hackers had accessed their email addresses and/or user names, IP addresses and encrypted (bcrypt hashed) passwords.
All affected users are being advised to reset their passwords.
“At this point we do not believe that any customer website has been improperly accessed,” the company said in a statement posted on its website. “We do not store any full credit card numbers, and so we’re not aware that any credit card information that can be used for fraudulent charges was a part of this incident.”
“Weebly’s security team is taking steps to further enhance our network security and protect our customers,” the company added. “We are also working with a third party team of security experts to investigate the incident.”
The company doesn’t yet know how the data was accessed.
The passwords for all accounts set up after June 1, 2011 were encrypted using salted bcrypt hashes. Older accounts used a less secure hashed password format, and all of those passwords are being automatically reset.
Weebly was alerted to the breach by LeakedSource, which received the stolen data from an anonymous source.
According to LeakedSource, the data dates back to February 2016, and contains 43,430,316 users’ information.
“In this particular case, Weebly understood that their customer information would be the inevitable target of an attack,” Spirion CEO Dr. Jo Webber told eSecurity Planet by email. “They took certain steps to limit the manipulation of more than 40 million customer accounts and websites by ensuring key pieces of information such as credit card numbers and passwords were secured [and] stored properly.”
IDT911 chairman and founder Adam Levin said by email that passwords aren’t the only thing to be concerned about — the other stolen information can also be useful to identity thieves.”Email addresses and usernames are the foundation of our online identities, and typically contain significant information including numbers or other key personal information including birthdays, colleges or employers,” he said.
“Hackers can easily use these bits of information to figure out passwords, use as valuable context in phishing schemes or answer security questions to access all stripe of online accounts, including banks and social networks,” Levin added.
A recent survey of more than 500 IT security professionals found that only 25 percent of respondents are confident their organizations have the number of skilled cyber security experts they need to detect and respond effectively to a serious cyber security breach.
The survey, conducted by Dimensional Research and sponsored by Tripwire, also found that 72 percent of respondents have faced challenges hiring skilled cyber security experts.
Sixty-six percent of respondents said their organizations face increased security risks due to a lack of skilled cyber security experts.
“Having the right tools is only part of the solution,” Tripwire director of IT security and risk strategy Tim Erlin said in a statement. “A lack of cyber security skills not only degrades an organization’s ability to respond to incidents, it also inhibits organizations from developing and deploying effective prevention.”
A recent eSecurity Planet article examined seven database security best practices.