880000

Subscribers of UK-based MoDaCo, a forum specialising in smartphone news and reviews, have been unpleasantly surprised by notifications that the site and their account have been compromised.

MoDaCo

But not all subscribers have been notified, and that’s because the alert didn’t come from the site admins, but from the Have I Been Pwnd? service. The service allows users to submit their email address, and notifies them when it’s found in data batches stolen in breaches.

According to the notification, MoDaCo suffered a data breach in January 2016, and the attacker made off with email and IP addresses, and usernames and passwords (stored as salted MD5 hashes) of nearly 880,000 subscribers.

The reason why MoDaCo hasn’t notified users of the breach is still unknown. MoDaCo founder Paul O’Brien promised to post an official statement about the incident later today, and reassured subscribers that all passwords are hashed and salted.

Security researcher Troy Hunt, who runs Have I Been Pwnd?, says that 70 percent of the email addresses exposed in this breach were already contained in data batches from previous breaches of other online services.

“With data that includes email and IP addresses, passwords and usernames, there’s nothing out of the ordinary there,” Mark James, IT Security Specialist at ESET, commented for Help Net Security.

“To be honest data breaches happen all the time, this particular one is causing a bit of a storm on their own forums as the users would like to have received notification from the owners first not through a third party site. Looking through the forum posts many of the users have not used the site for a while and were looking for means to delete their accounts. The problems of course are that when we create usernames and passwords on sites that reflect our current interests if we then move on or stop using those sites it’s sometimes difficult or almost impossible to delete those redundant accounts. This breach apparently happened in January 2016 (that needs to be confirmed officially) but at least the passwords were stored as salted MD5 hashes and not in plaintext.”


Help Net Security