[BreachExchange] Promo Data Breach Hits 14.6 Million User Accounts

[Destry Winant]

https://www.infosecurity-magazine.com/news/promo-data-breach-hits-146-million/

An Israeli marketing video firm this week announced a major breach of
user data which appears to have impacted over 14 million accounts.

Promo, which describes itself as “the world’s #1 marketing video
maker,” revealed in an online notice that a vulnerability in a
third-party service was to blame for the incident, which also affected
customers of its Slidely business.

Although social media log-ins and financial information were not
compromised, the attackers appear to have made off with plenty of
sensitive personal data.

“The exposed data includes first name, last name, email address, IP
address, approximated user location based on the IP address, gender,
as well as encrypted, hashed and salted password to the Promo or
Slidely account,” said Promo.

“Although your account password was hashed and salted (a method used
to secure passwords with a key), it’s possible that it was decoded.”

In fact, this does seem to be the case, after dark web traders were
spotted selling the haul, including 1.4 million cracked passwords.

Although Promo failed to quantify the scale of the breach,
HaveIBeenPwned has claimed the incident exposed 22 million records
containing over 14.6 million unique email addresses.

Promo has informed all affected customers and will force a password
reset as a precaution, although credential stuffing remains a threat.

“Users need to double-check their password usage on other websites and
online services, ensuring they are not using the same passwords on
those accounts,” warned Chris Hauk, consumer privacy champion at Pixel
PrivacyUsers.