An unknown hacker has downloaded 2.2 million passwords from a teen social site. To make matters worse, all of the passwords are in plaintext format.
In the correspondence that followed, the hacker provided both outlets with 2.2 million plaintext passwords they had acquired from i-Dressup, a website which offers fashion-themed games for teens.
Ars Technica and security researcher Troy Hunt both confirmed the legitimacy of the data dump by verifying that many of the email addresses were indeed registered on i-Dressup.
According to the hacker, it took them just three weeks to exploit vulnerabilities on i-Dressup's website using an SQL injection attack, allowing them to gain access to the password database.
But the breach doesn't end there, unfortunately. The hacker went on to state it would be trivial for them or another attacker to make off with the entire database of 5.5 million plaintext passwords.
Concerned for those remaining 3.3 million users, Ars Technica reached out to i-Dressup, but to no avail. As Ars Technica writer Dan Goodin explains:
"Operators of i-Dressup didn't respond to messages sent by Ars informing them that a hacker has already downloaded more than 2.2 million of the improperly stored account credentials.... Ars ... used the contact us page on i-Dressup to privately notify operators of the vulnerability, but more than five days later, no one has responded and the bug remains unfixed."
Nothing says "secure site" more than the chirping of crickets.
The sound of silence is also prevalent on the website's social media, though as the below screenshot demonstrates, some users are aware of the breach enough to post something to the company's official Facebook page:
Unfortunately, until i-Dressup patches the vulnerability, actors can continually compromise users' plaintext passwords and gain unauthorized access to their accounts. It's up to members as to whether they want to endure that continual headache or temporarily deactivate their accounts instead. Regardless, all i-Dressup users should make sure they're not reusing their password across other web accounts.
Now we sit and wait to see if i-Dressup takes responsibility for its users' security....