Online invitation and stationary company Evite has notified customers of a data breach that stemmed from an “inactive data storage file” associated with user accounts.
The company over the weekend said that during April 2019, it became aware of a “security incident involving potential unauthorized access to our systems.”
After further investigation, Evite said that the breach had compromised customers’ personal information including names, usernames, email addresses, passwords, dates of birth, phone numbers, and mailing addresses. No user information more recent than 2013 was contained in the file, Evite said.
“Once we became aware of the incident, we quickly took steps to determine the nature and scope of the issue,” said the company in an online release. “We are working with a leading data security firm to assist in our investigation and remediation. We have also notified and are coordinating with law enforcement authorities.”
Social security numbers and payment information were not impacted as the former is not collected and the latter is not stored on the site, the company said.
The breach notification comes months after ZDNet first reporting in April that a hacker (who goes under the alias Gnosticplayers) dumped Evite customer data on illicit online markets. The 10 million user record database contained full names, countries, emails, IP addresses and cleartext passwords from customers, according to the initial report. The database was put up for sale for .2419 Bitcoin ($1,916 USD).
According to the report, Evite did not return an initial request for comment when notified of the data in April by ZDNet. Evite did not respond to a request for comment this week from Threatpost regarding its data breach notification.
Matan Or-El, CEO of Panorays, said businesses utilizing Evite’s platform in particular should be concerned about the information leaked in the data breach.
“Businesses that incorporate Evite into their marketing activities should be concerned about this breach,” he said in an email. “Typically not considered a critical vendor, apps such as Evite are not usually monitored or assessed on their security posture. Yet as this breach demonstrates, these apps hold the data of employees as well as customers. A breach to the application propagates as a security risk to the company. Companies must ensure that they evaluate and continuously monitor the security posture of the suppliers they are working with to avoid taking a hit due to their supply chain.”
Other Breaches
Evite’s data breach comes in the midst of a slew of other data breaches this week, including the disclosure of a breach of U.S. Customers and Border Protection revealing photos and license plates of 100,000 travelers.
Also this week, a data breach of retro gaming website Emuparadise was revealed after the compromised data was discovered and provided to Have I Been Pwned on Monday by Dehashed.com.
The compromised vBulletin forum exposed 1.1 million email addresses, IP address, usernames and passwords stored as salted MD5 hashes. The dat3 of the breach was April 1 2018.
EmuParaside told Threatpost that it had notified all its users through a public announcement and email, and their passwords were reset.
“It was a vulnerability in vBulletin that was exploited,” an EmuParadise spokesperson told Threatpost. “But we were already on this last year in April when it happened. Not sure why it’s being talked about now after all this time.”
Ransomware is on the rise: Don’t miss our free Threatpost webinar on the ransomware threat landscape, June 19 at 2 p.m. ET. Join Threatpost and a panel of experts as they discuss how to manage the risk associated with this unique attack type, with exclusive insights into new developments on the ransomware front and how to stay ahead of the attackers.
