UK-based Android community MoDaCo has suffered a data breach, potentially exposing a database of hundreds of thousands of online users.
MoDaCo founder Paul O’Brien has issued a statement, apologising to affected users and stating that all stored passwords are salted and hashed:
Part of the statement reads as follows:
Earlier today a number of users contacted us to inform us that data breach tracking site, haveibeenpwned.com, is notifying users of a data breach of the MoDaCo database.
After initial investigations, we have determined that this report is correct - a dump of the MoDaCo database has been extracted by an unauthorised entity.
First of all - we are of course very disappointed that this has happened, the security of your data is very important to us - I appreciate we’ve let you down in this regard but hope we can allay some concerns and do our best to rebuild your confidence starting now.
MoDaCo runs on a market leading CMS, is regularly updated and runs on a server which too receives regular updates and security scans. We chose the CMS we use because it receives frequent security fixes and most importantly, stores passwords in a very secure Blowfish based form.
Although password details might be out of the hands of hackers, it seems that other personal information - such as usernames and email addresses - may have been exposed. As a result, affected users would be wise to be on the lookout for phishing attacks and spam campaigns.
Interestingly, MoDaCo says that it believes that the hackers gained access to the user database after compromising an administrator’s account. Whether that was through a phishing an admin’s passwords, or the administrator making the mistake of using an easy-to-crack password or reusing the same password across multiple sites is not clear.
But one can definitely make the case that additional authentication methods - such as two-factor authentication - might have gone some way to better protect the community’s admin accounts from being accessed by unauthorised users.