No razzle-dazzle here! Hackers target Zazzle with run-of-the-mill brute-force attack

We’ve said it before: stop reusing passwords on different sites.

No razzle-dazzle here! Hackers target Zazzle with run-of-the-mill brute-force attack

Online criminals have pulled off a tried-and-true password brute-force attack against online marketplace Zazzle.

On 25 August, the company notified the Office of the Attorney General in California about a security incident that might have undermined users' account security. As Zazzle explains in a breach notification letter:

We take security extremely seriously at Zazzle and wanted to let you know that in July 2017, our Security Team detected a brute force data security attack. During this data breach, some unauthorized login attempts to Zazzle accounts were made, including one using your Zazzle username (email address) and password.

Given the nature of the incident, Zazzle believes that your username (email address) and password may have been obtained by an unauthorized third party, through a breach of other website(s), who then tried to confirm your credentials on our site.

Those behind the attack attempted to authenticate users of the site without their authorization. They did this using password reuse attacks, or by stealing users' login credentials publicly disclosed in the Weebly, Dropbox, LinkedIn, and other "mega-breaches" of 2016 (among other security incidents) and trying them across various web services.

At this time, it's unclear just how many members the attack might have affected. Zazzle's CTO Bobby Beaver estimates the attackers might have gained access to "thousands of accounts," a general figure which he says represents only "a small percentage of accounts."

But even if an attacker did access their profile, Beaver wants to reassure users that they can recover from the hack using the site's password recovery mechanism.

As he told ZDNet:

"The reset procedure we referenced requires the user reconfirm their email address by sending a security token to that email address. As such, a malicious actor could not reset the password for the account -- unless they had access to the email account itself, which is not in our control."

Rather than take a chance with users' accounts, Zazzle has imposed a mandatory password reset for all members. Users should therefore choose a strong password to protect their account whenever they next visit the online marketplace. Whatever they choose should be one that they haven't used with any of their other accounts.

That's not to say that Zazzle is sitting on its hands in the meantime, however.

The company has implemented a CAPTCHA to prevent automated login attempts. It's also considering the activation of additional security measures.

Considering the fact that the company suffered two breaches in August 2016, Zazzle should look into extra measures - such as two-step verification (2SV) security feature.

If it follows that advice Zazzle's users will thank it in the long-run.

Tags: , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, , ,

No comments yet.

Leave a Reply