[BreachExchange] Trakt app users' personal data exposed: We were hit by a 'PHP exploit'... back in 2014

Destry Winant destry at riskbasedsecurity.com
Mon Feb 11 08:22:07 EST 2019


https://www.theregister.co.uk/2019/02/07/trakt_hit_by_php_exploit_in_2014_app_users_deets_explosed_but_thankfully_payment_info_not_part_of_the_data_leak/

Trakt, the makers of an app that monitors users' TV programme and
movie viewing habits, has 'fessed up to falling victim to a PHP
exploit more than four years ago that resulted in data leakage.

The company has written to customers revealing it "learned of a data
breach that occurred back in December 2014. The breach involved some
of our personal information, such as user name, email and encrypted
password."

"Although this happened in 2014 we only recently discovered this, and
wanted to promptly provide notice as part of our commitment to your
privacy," the email added.

The "good news", Trakt told paying customers (the basic app is free),
is that payment information was not included in the security wobble –
that data is held by payment processors, rather than within its own
servers.

But the data "lost" included email, usernames, encrypted passwords,
names as well as customers' "location".

By January 2015, the business said it had moved from version 1 of its
site to version 2 and "[i]n doing so, we removed any access outsiders
had to your information".

This shift led to a "more secure algorithm for storing passwords", the
platform change "removed the exploit" and the fresher infrastructure
had "far tighter restrictions", Trakt claimed.

It has reset passwords for affected users, sending an email with a
reset link. Presumably the same email address that was leaked. And
Trakt assured customers: "We are diligently monitoring our site."

A probe into the leak is ongoing "but we believe a PHP exploit was
used to capture data from Trakt users".

"We know you trust us with your data and we failed to protect it.
We're incredibly sorry that this happened and hope that you'll let us
earn you trust back," the email concluded.


More information about the BreachExchange mailing list