Quidd, an app designed to redeem various digital collectibles such as cards, toys and stickers, suffered a massive data breach that compromised the personal information of nearly 4 million customers.
Researchers from Risk Based Security recently discovered that the login credentials of nearly 4 million Quidd users were stored in a Dark Web hacking forum. This stolen data included Quidd usernames, hashed email addresses and passwords and was available to Dark Web hackers without any restrictions.
According to the security firm, hacker group ProTag claimed to have orchestrated the cyberattack on Quidd. Hackers uploaded the stolen data to a Dark Web forum on March 12, 2020 for a short time, and then uploaded the data again on March 29. In addition, ZDNet also learned from a data trader that hackers had placed advertisements about the stolen data on dark web forums as early as October of last year.
“A risk-based security researcher who monitors the forum confirmed that the post came from a trusted source. After initial testing, the data appears to be valid. The disclosed data sets include the email addresses, usernames and hashed bcrypt passwords of 3,954,416 users. They also included the work email addresses of thousands of well-known companies such as Microsoft, Experian, AIG, Accenture, Target, University of Pennsylvania, Virgin Media, and Tutanota, ”the researchers said.
Researchers found that a hacker had already cracked over a million passwords and that another hacker was currently selling over 135,000 cracked Quidd passwords. Although Quidd has not released any statements regarding the data breach, researchers have advised Quidd users to change their account passwords as soon as possible.
Organizations should embrace tokenization to make stolen data unusable
Commenting on the breach suffered by Quidd, Anna Russell, vice president EMEA at comforte AG, told TEISS that email addresses, usernames and hashed passwords are examples of valuable information and, by Therefore, it is not surprising that hackers frequently target the infrastructure that contains this critical information. .
“While there is no foolproof way to prevent these hackers from gaining access to this information, there are solutions that protect the valuable information itself. While Quidd is fortunate that the passwords were hashed via hashes protected by bcrypt, it does mean that the information may be unencrypted in plain text. Indeed, more than 100,000 passwords have already been cracked, and more will certainly follow. Businesses should look to deploy data security tactics such as tokenization. This means that sensitive information is rendered unusable for unauthorized access, instead of posing a challenge for determined hackers. “
Stuart Sharp, vice president of solutions engineering at OneLogin, also told TEISS that the challenge for the industry is to make it easier for users to improve their security. The quick win is to add MFA in addition to passwords. Even weaker forms of MFA such as OTP messages via email or SMS will greatly reduce the threat posed by compromised passwords, but a range of MFA options should be offered to allow individuals to choose more secure options. when they are ready.
“In the longer term, the industry must help individuals in their desire to move towards passwordless authentication. Everyone from hardware manufacturers to application developers must embrace this trend to provide better security that is easy to adopt and use in everyday life, ”he added.
READ ALSO: Hackers Sell 21 Million Stolen Mixcloud Subscriber Records on the Dark Web