[BreachExchange] Personal Data and Credentials of 268 Million Users Exposed In Recent Wattpad Hack

[Destry Winant]

https://www.riskbasedsecurity.com/2020/07/23/personal-data-and-credentials-of-268-million-users-exposed-in-recent-wattpad-hack/

Each year the Cyber Risk Analytics research team at Risk Based
Security captures and analyzes thousands of data breaches. Given the
volume of events we see, it takes something special for the breach to
grab our attention. The recent incident at Wattpad did exactly that,
both for the size of the breach and what could be learned from the
dataset.

What is Wattpad?

Wattpad, reportedly the 151st most visited website in the world, calls
itself “the world’s most-loved social storytelling platform”, claiming
to connect “a global community of 80 million readers and writers
through the power of story.” The Toronto-based company is more than a
self-publishing platform, working closely with publishing companies to
identify emerging trends and as a conduit for promoting new material.
Wattpad also ventures into production. According to the company’s
website, Wattpad Studios “partners with the entertainment industry to
co-produce Wattpad stories for TV, film, digital video, and print.”
The list of partnerships is impressive, including well known companies
like Sony Pictures Television, NBC, CBC and more.

The Breach

On July 14, 2020, our research team discovered that a threat actor
shared a compromised database allegedly originating from Wattpad. The
leaked database included more than 270 million records with more than
268 million unique email address and password combinations.

Upon further investigation, our research team concluded that the
database was originally breached in June 2020 and contains personally
identifiable information (PII) in addition to the user account
credentials. Although other publications have released details on the
initial attempt to sell the data, as well as naming the threat actors
responsible, a breakdown of affected credentials has not been released
– until now.

Email Address Domain Breakdown

The breached SQL database contains one large user table, consisting of
270,784,079 email addresses. After removing the duplicates,
268,830,266 email addresses remained.

The user table also contained user IDs, names, IP addresses,
locations, an empty data column designated for phone numbers, dates of
birth, genders, Facebook and Twitter IDs, Tumblr URL, Tumblr email
addresses, and Tumblr passwords.

Further analysis of the database shows that the email addresses
contain the following domain breakdown:

gmail.com: 161,579,758
yahoo.com: 35,131,453
hotmail.com: 31,278,097
.mil: 2,713,612
.edu: 973,164
.gov: 139,506

While a high number of compromised gmail, yahoo, and hotmail domains
were expected, the amount of military related email addresses were
not. Nearly 3 million .mil accounts had been compromised in the
Wattpad breach. Email addresses and records for Wattpad employees were
also found in the database.

In addition, an analysis using various Fortune 500 companies shows
that commercial email addresses are also included in the compromise:

Microsoft.com: 1,722
Accenture.com: 393
AIG.com: 308
Deloitte.com: 116
Target.com: 101
Adobe.com: 48
Experian.com: 9

Increased Risk for Exposed Users

This recent hack will leave users and businesses exposed to a variety
of cyberattacks. User credentials are often leveraged by threat actors
in attempts to gain access to other valuable platforms such as bank
accounts, personal email accounts, and corporate systems. Commercial
email addresses can also be targets for spear-phishing or extortion.

It is uncommon for so many records to be unique given that the number
of exposed records is extremely high. This is likely to raise its
value to threat actors and hackers looking to take advantage of the
leaked credentials.

ShinyHunters, a notorious threat actor (or group), has claimed
responsibility for the hack, however they state that they are not
responsible for the publicly released database. ShinyHunters claims
that the version of the database they possess contains the user’s
password “salts”, while the newly released database does not. Password
salts are generated during the password encryption process, and can be
crucial for decrypting an encrypted password.

However, numerous files have already appeared and circulated on dark
web forums containing at least 8 million decrypted WattPad user
passwords.

Previous Breaches and Current Investigations

Wattpad was also involved in a data breach in 2015, publicly stating
that an unknown amount of account details and passwords were exposed.
It does not appear that this current incident is related to their
previous breach.

We have reached out to Wattpad regarding the compromised database but
have not received a response.

According to BleepingComputer, a representative from Wattpad stated:

“We are aware of reports that some user data has been accessed without
authorization. We are urgently working to investigate, contain, and
remediate the issue with the assistance of external security
consultants.

>From our investigation, to date, we can confirm that no financial
information, stories, private messages, or phone numbers were accessed
during this incident. Wattpad does not process financial information
through our impacted servers, and active Wattpad users’ passwords are
salted and cryptographically hashed.

We are committed to maintaining the trust that our users have placed
in us to ensure the safety and security of the Wattpad community.”

Wattpad representative

The same statement was posted on Wattpad’s blog on July 14th. On July
21st, the company shared a more detailed statement about the event and
posted a FAQ on their support page.

Given the popularity of the site, the size of the database, the
notoriety of the threat actor(s) involved, and the potential value of
the data, media coverage of the event has been surprisingly quiet.
Unlike the flood of headlines generated by other large events, this
breach had garnered relatively little coverage.

In the meantime, Wattpad appears to be underplaying the seriousness of
the event with statements like this one from their FAQ:

Is there any potential impact on users?
Given the type of information that we have about our users, we think
it’s unlikely that this will meaningfully affect our users.

The Data Breach Landscape

According to Risk Based Security’s Q1 Data Breach Report,
approximately 50% of the breaches reported in the first three months
of the year resulted in the compromise of access credentials in the
form passwords in combination with email addresses or usernames.
Credentials theft remains very popular thanks to password reuse across
multiple sites and services and is expected to remain in the top spot
of the most compromised data type.

Stay tuned for the Mid-Year Data Breach Report for more insight into
breach activity reported through the first six months of the year.