Hacker downloads 2.2 million PLAINTEXT passwords from teen social site

And there’s another 3.3 million waiting to be picked off…

iDressUp

An unknown hacker has downloaded 2.2 million passwords from a teen social site. To make matters worse, all of the passwords are in plaintext format.

Ars Technica first learned of the breach when the hacker reached out to it and breach notification service Have I Been Pwned?

In the correspondence that followed, the hacker provided both outlets with 2.2 million plaintext passwords they had acquired from i-Dressup, a website which offers fashion-themed games for teens.

Ars Technica and security researcher Troy Hunt both confirmed the legitimacy of the data dump by verifying that many of the email addresses were indeed registered on i-Dressup.

According to the hacker, it took them just three weeks to exploit vulnerabilities on i-Dressup's website using an SQL injection attack, allowing them to gain access to the password database.

But the breach doesn't end there, unfortunately. The hacker went on to state it would be trivial for them or another attacker to make off with the entire database of 5.5 million plaintext passwords.

Concerned for those remaining 3.3 million users, Ars Technica reached out to i-Dressup, but to no avail. As Ars Technica writer Dan Goodin explains:

"Operators of i-Dressup didn't respond to messages sent by Ars informing them that a hacker has already downloaded more than 2.2 million of the improperly stored account credentials.... Ars ... used the contact us page on i-Dressup to privately notify operators of the vulnerability, but more than five days later, no one has responded and the bug remains unfixed."

Giphy

Nothing says "secure site" more than the chirping of crickets.

The sound of silence is also prevalent on the website's social media, though as the below screenshot demonstrates, some users are aware of the breach enough to post something to the company's official Facebook page:

Screen shot 2016 09 28 at 10.18.04 am

Unfortunately, until i-Dressup patches the vulnerability, actors can continually compromise users' plaintext passwords and gain unauthorized access to their accounts. It's up to members as to whether they want to endure that continual headache or temporarily deactivate their accounts instead. Regardless, all i-Dressup users should make sure they're not reusing their password across other web accounts.

Now we sit and wait to see if i-Dressup takes responsibility for its users' security....

The teen social site joins Rambler.ru and LinkedIn, both of which suffered high-profile data breaches and failed to properly protect passwords in some way.

Tags: , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, , ,

One Response

  1. Zoe

    October 1, 2016 at 11:28 pm #

    NOO! I loved i-Dressup! I went on the website today to log in and everything was gone. I went to their facebook and people were posting links to this article and another about what happened and that's how I found out. So sad, :(

Leave a Reply