[BreachExchange] Post-Breach, Peatix Data Reportedly Found on Instagram, Telegram

[Destry Winant]

https://threatpost.com/breach-peatix-data-instagram-telegram/161560/

Events application Peatix this week disclosed a data breach, after
user account information reportedly began circulating on Instagram and
Telegram.

Event-discovery application Peatix has disclosed a data breach, after
ads for stolen user-account information were reportedly being
circulated on Instagram and Telegram.

In a data breach notice to affected users, Peatix said it learned on
Nov. 9 that user account data had been improperly accessed. Upon
further investigation, the company found that user names, email
addresses,salted and hashed passwords, nicknames, preferred languages,
countries and time zones had been compromised.

“As part of our immediate recovery measures, we blocked unauthorized
access to the database and are continuing to investigate with
assistance from external security firms,” according to the data-breach
notification.

Peatix is an events application that connects people to various events
and social-based communities. Since it first started in 2011, the
application has grown to serve more than 50,000 interest groups
worldwide – with a user base of 5 million. It’s unclear how many of
those users were affected by the data breach or how the breach
initially occurred; Threatpost has reached out to Peatix for further
information.

While Peatix uses payment processors such as PayPal and Stripe for
managing user payments, full credit-card details are not stored on
their databases, and Peatix said there is no evidence that this
information has been compromised.

“In addition, based on our investigation to date, we have no reason to
believe that any historical data of events in which users
participated, any data obtained through our questionnaire function or
users’ addresses or phone numbers were accessed,” according to the
security advisory.

While passwords were obtained, the company stressed that it employs an
encrypted password system that stores user passwords as hash values –
rather than plain-text passwords. That said, Peatix urged users to
reset their passwords “as an added measure of precaution,” and be on
the lookout for suspicious correspondence requesting further personal
information.

However, security experts like Robert Prigge, CEO of Jumio, don’t
think this is enough.

“Peatix’s response to reset passwords is simply not enough to keep
their… user accounts protected,” said Prigge in an email. “Instead,
online organizations should turn to a safer and more secure
alternative like biometric authentication (leveraging a person’s
unique human traits to verify identity), which will confirm the
authorized user is the one logging in, ensuring personal data is
protected from cybercriminals and data breach brokers.”

The company warned that bad actors could use the stolen information to
contact affected users and try to collect further personal or
financial information via phishing attacks. Other potential attack
vectors include credential-stuffing attacks and password-spraying
attacks.

“They may claim to be Peatix or send emails appearing to be from
Peatix,” said the company. “They may also try to access your Peatix
account or other websites and apps on which you use the same
passwords.”

According to ZDNet, not long after the data breach occurred the
compromised data has been spotted on ads posted on Instagram stories,
Telegram channels and various hacking forums.

“Usually, when we hear about hackers offering stolen data, this takes
place over deep web forums or pages,” Boris Cipot, senior sales
engineer with the Synopsys Software Integrity Group, said via email.
“In this case however we are also seeing the use of social-media
platforms such as Instagram and messaging app Telegram to promote
stolen names, usernames, hashed passwords and email addresses.”

Cipot said the security incident is a good reminder for users to
maintain basic security hygiene – including staying on the lookout for
suspicious emails.

“Users should also change their passwords on other services where they
have been reused,” said Cipot. “It is also critical that users are
vigilant as their data may be used in phishing campaigns in an attempt
to gather additional data or even gain access to their computer. As
such, be wary of emails with attachments or links.”