Event-discovery application Peatix has disclosed a data breach, after ads for stolen user-account information were reportedly being circulated on Instagram and Telegram.
In a data breach notice to affected users, Peatix said it learned on Nov. 9 that user account data had been improperly accessed. Upon further investigation, the company found that user names, email addresses,salted and hashed passwords, nicknames, preferred languages, countries and time zones had been compromised.
“As part of our immediate recovery measures, we blocked unauthorized access to the database and are continuing to investigate with assistance from external security firms,” according to the data-breach notification.
Peatix is an events application that connects people to various events and social-based communities. Since it first started in 2011, the application has grown to serve more than 50,000 interest groups worldwide – with a user base of 5 million. It’s unclear how many of those users were affected by the data breach or how the breach initially occurred; Threatpost has reached out to Peatix for further information.
While Peatix uses payment processors such as PayPal and Stripe for managing user payments, full credit-card details are not stored on their databases, and Peatix said there is no evidence that this information has been compromised.
“In addition, based on our investigation to date, we have no reason to believe that any historical data of events in which users participated, any data obtained through our questionnaire function or users’ addresses or phone numbers were accessed,” according to the security advisory.
While passwords were obtained, the company stressed that it employs an encrypted password system that stores user passwords as hash values – rather than plain-text passwords. That said, Peatix urged users to reset their passwords “as an added measure of precaution,” and be on the lookout for suspicious correspondence requesting further personal information.
However, security experts like Robert Prigge, CEO of Jumio, don’t think this is enough.
“Peatix’s response to reset passwords is simply not enough to keep their… user accounts protected,” said Prigge in an email. “Instead, online organizations should turn to a safer and more secure alternative like biometric authentication (leveraging a person’s unique human traits to verify identity), which will confirm the authorized user is the one logging in, ensuring personal data is protected from cybercriminals and data breach brokers.”
The company warned that bad actors could use the stolen information to contact affected users and try to collect further personal or financial information via phishing attacks. Other potential attack vectors include credential-stuffing attacks and password-spraying attacks.
“They may claim to be Peatix or send emails appearing to be from Peatix,” said the company. “They may also try to access your Peatix account or other websites and apps on which you use the same passwords.”
According to ZDNet, not long after the data breach occurred the compromised data has been spotted on ads posted on Instagram stories, Telegram channels and various hacking forums.
“Usually, when we hear about hackers offering stolen data, this takes place over deep web forums or pages,” Boris Cipot, senior sales engineer with the Synopsys Software Integrity Group, said via email. “In this case however we are also seeing the use of social-media platforms such as Instagram and messaging app Telegram to promote stolen names, usernames, hashed passwords and email addresses.”
Cipot said the security incident is a good reminder for users to maintain basic security hygiene – including staying on the lookout for suspicious emails.
“Users should also change their passwords on other services where they have been reused,” said Cipot. “It is also critical that users are vigilant as their data may be used in phishing campaigns in an attempt to gather additional data or even gain access to their computer. As such, be wary of emails with attachments or links.”