The passwords and other personal data of more than 2.2 million users of two websites were revealed online as the result of data breaches that happened earlier this year, a notable security researcher warned.
Personal information belonging to the users of cryptocurrency wallet service GateHub and gaming bot provider EpicBot were posted online even though the information was heavily encrypted, security researcher Troy Hunt told Ars Technica on Tuesday.
Hunt discovered databases online with information from 1.4 million GateHub accounts and 800,000 EpicBot accounts. Info in the accounts included emails and passwords that were cryptographically hashed with technology called bcrypt, which is known as one of the toughest for bad actors to break into.
GateHub acknowledged that it had been hacked over the summer, although it seems now the breach was bigger than the company revealed. In a statement on the GateHub website, the company said that a perpetrator had “accessed 18,473 encrypted customer accounts, a very small fraction of our total user base,” and that “a vast majority” of customers were unaffected.
The post confirmed that data being targeted on the accounts included email addresses; hashed passwords; hashed recovery keys; encrypted XRP ledger wallets secret keys from non-deleted wallets only; and user first and last names, if users provided them.
“We found no evidence that other information (such as phone numbers or ID documents) was compromised,” GateHub said at the time. “All affected customers were notified about the unauthorized access and provided a list of data that the perpetrator was able to retrieve from their account.”
GateHub account holders also reported on Twitter that their information had been stolen and posted online. One Twitter user posted a screenshot of a Have I Been Pwned notification telling him his info had been leaked on June 4 from a GateHub breach and then posted online in October.
— Harry The Horse (@local_it) November 20, 2019
It does not appear at this time that EpicBot so far has acknowledged it’s been hacked, according to reports. Hunt’s version of the leak—which included usernames and IP addresses of account holders—seems to be the best evidence thus far that the breach occurred.
Hunt, the founder the Have I Been Pwned breach notification service (which he is looking to sell), said he selected a representative sample of accounts from both databases to verify the authenticity of the data.
Data breaches continue to be a major thorn in the side for security administrators, with leaks reported nearly weekly, and presumably many others left unreported. Often the leaked data is then used by bad actors in cybercrime campaigns, such as to conduct phishing or ransomware.
The leaking of password data can be especially harmful, as bad actors can use this information to gain unauthorized access to users personal and financial accounts. In one recent breach in August, Web hosting company Hostinger warned that someone accessed one of its servers, potentially exposing the passwords of 14 million customers.
Is MFA enough to protect modern enterprises in the peak era of data breaches? How can you truly secure consumer accounts? Prevent account takeover? Find out: Catch our free, on-demand Threatpost webinar, “Trends in Fortune 1000 Breach Exposure” to hear advice from breach expert Chip Witt of SpyCloud. Click here to register.