Online criminals have pulled off a tried-and-true password brute-force attack against online marketplace Zazzle.
On 25 August, the company notified the Office of the Attorney General in California about a security incident that might have undermined users' account security. As Zazzle explains in a breach notification letter:
We take security extremely seriously at Zazzle and wanted to let you know that in July 2017, our Security Team detected a brute force data security attack. During this data breach, some unauthorized login attempts to Zazzle accounts were made, including one using your Zazzle username (email address) and password.
Given the nature of the incident, Zazzle believes that your username (email address) and password may have been obtained by an unauthorized third party, through a breach of other website(s), who then tried to confirm your credentials on our site.
Those behind the attack attempted to authenticate users of the site without their authorization. They did this using password reuse attacks, or by stealing users' login credentials publicly disclosed in the Weebly, Dropbox, LinkedIn, and other "mega-breaches" of 2016 (among other security incidents) and trying them across various web services.
At this time, it's unclear just how many members the attack might have affected. Zazzle's CTO Bobby Beaver estimates the attackers might have gained access to "thousands of accounts," a general figure which he says represents only "a small percentage of accounts."
But even if an attacker did access their profile, Beaver wants to reassure users that they can recover from the hack using the site's password recovery mechanism.
As he told ZDNet:
"The reset procedure we referenced requires the user reconfirm their email address by sending a security token to that email address. As such, a malicious actor could not reset the password for the account -- unless they had access to the email account itself, which is not in our control."
Rather than take a chance with users' accounts, Zazzle has imposed a mandatory password reset for all members. Users should therefore choose a strong password to protect their account whenever they next visit the online marketplace. Whatever they choose should be one that they haven't used with any of their other accounts.
That's not to say that Zazzle is sitting on its hands in the meantime, however.
The company has implemented a CAPTCHA to prevent automated login attempts. It's also considering the activation of additional security measures.
If it follows that advice Zazzle's users will thank it in the long-run.