[BreachExchange] Wattpad data breach exposes account info for millions of users

Destry Winant destry at riskbasedsecurity.com
Thu Jul 16 10:14:55 EDT 2020


https://www.bleepingcomputer.com/news/security/wattpad-data-breach-exposes-account-info-for-millions-of-users/

An allegedly stolen Wattpad database containing 270 million records
were being sold in private sales for over $100,000. Now it is being
offered for free on hacker forums.

Watthpad is a web site that allows members to publish user-generated
stories on a variety of different topics. The site is immensely
popular and is ranked as the the 150th most visited site worldwide.


In an anonymous tip, BleepingComputer was told that this database was
being sold by Shiny Hunters, a group known for selling company
databases acquired in data breaches.

At the time, Cyber intelligence firm Cyble told BleepingComputer that
this database was being sold for ten bitcoins, or almost $100,000 at
the time.

BleepingComputer contacted Shiny Hunters about this breach, and at
first, they were concerned about how we knew about the sale, and then
later denied having anything to do with it.

A few sample records of this database seen by BleepingComputer contain
user names, names, hashed passwords, email addresses, and general
geographic location.

BleepingComputer contacted the users in this sample, and one user
confirmed with BleepingComputer that the listed information was
accurate.

BleepingComputer was told by Kiel Hume, Director of PR &
Communications at Wattpad, that they are working with external
security consultants to investigate the potential breach.

"We continue to investigate the information you’ve shared and its
potential origins. At this time we’ve enlisted external security
consultants to aid our investigation. We take the security of our
users and their data extremely seriously, and our teams will be
working around the clock to uncover any new information."

Update 7/14/20 4:08 PM EST: Hume sent BleepingComputer an updated
statement saying that Wattpad is working to contain and remediate the
breach, but that no financial information, phone numbers, stories, or
private messages were accessed during the incident.

We are aware of reports that some user data has been accessed without
authorization. We are urgently working to investigate, contain, and
remediate the issue with the assistance of external security
consultants.

>From our investigation, to date, we can confirm that no financial
information, stories, private messages, or phone numbers were accessed
during this incident. Wattpad does not process financial information
through our impacted servers, and active Wattpad users’ passwords are
salted and cryptographically hashed.

We are committed to maintaining the trust that our users have placed
in us to ensure the safety and security of the Wattpad community.

Wattpad database now free on a hacker forum

While the database was previously being sold for the high price of
$100,000, the database is now being offered for free and claims to
contain 271 million users.

Today, a new user was registered on a hacker forum using the name and
photo of ZDNet reporter Catalin Cimpanu and began offering this
alleged database for free.

Cimpanu, who is a former reporter at BleepingComputer, is likely being
impersonated due to his recent article about the hack of Vinny Troia's
NightLion security firm, who claims to be revealing the identity of
Shiny Hunters and other data breach sellers this week.

The user offering this database claims that 145 million passwords are
hashed with bcrypt, and the other 44 million are hashed with SHA256.

This mixture of hashing methods was used in the samples seen by
BleepingComputer.

The number of users reported to be in this stolen database conflicts
with the reported 80 million total users on Wattpad in 2019.

BleepingComputer has not independently verified this database's
authenticity other than the limited samples shared with us last week.

We have once again reached out to Wattpad for further comment.


More information about the BreachExchange mailing list