(Image: file photo)A popular font sharing site DaFont.com has been hacked, exposing the site’s entire database of user accounts.
Usernames, email addresses, and hashed passwords of 699,464 user accounts were stolen in the breach, carried out earlier this month, by a hack who would not divulge his name.
More security news
Expanded state hacking powers make a stealthy return to German agenda
Congress introduces bill to stop US from stockpiling cyber-weapons
How WannaCrypt attacks
Google Play Protect wants to stop your Android apps from going rogue
The passwords were scrambled with the deprecated MD5 algorithm, which nowadays is easy to crack. As such, the hacker unscrambled over 98 percent of the passwords into plain text. The site’s main database also contains the site’s forum data, including private messages, among other site information. At the time of writing, there were over half-a-million posts on the site’s forums.
The hacker told ZDNet that he carried out his attack after he saw that others had also purportedly stolen the site’s database.
“I heard the database was getting traded around so I decided to dump it myself — like I always do,” the hacker told me. Asked about his motivations, he said it was “mainly just for the challenge [and] training my pentest skills.” He told me that he exploited a union-based SQL injection vulnerability in the site’s software, a flaw he said was “easy to find.”
The hacker provided the database to ZDNet for verification.
We verified a little over a dozen accounts by enumerating disposable email accounts with the site’s password reset function. (We have more on how we verify breaches here.) In each case, the site validated the email address and was sent a new password (in plain text) to the disposable email account.
The hacker also provided the database to Troy Hunt, who runs breach notification site Have I Been Pwned.
Hunt’s analysis of the database confirmed 637,340 unique email addresses in the database, with 62 percent of those email addresses already in his database.
While the hack of DaFont is far from the biggest data breach we’ve covered, it could still cause considerable headaches for a lot of people — even if the free site didn’t store any payment or other critically sensitive data. That’s because this breach involves a huge trove of email addresses and passwords that could allow a hacker to break into other, more sensitive sites and services that share the same password.
In the case of corporate accounts, that could lead to further data breaches of sensitive and confidential business files. Among the confirmed email addresses we found in the breach, several accounts belonged to Microsoft, Google, and Apple corporate accounts.
Dozens of accounts were also associated with UK and US government agencies.
We made several attempts to contact the site’s registered owners, Rodolphe Milan and Nicolas Peton, but our emails and voicemails were not returned in the days prior to publication.
Anyone thought to be affected by the breach can now search for their data in Have I Been Pwned.
Contact me securely
Zack Whittaker can be reached securely on Signal and WhatsApp at 646-755–8849, and his PGP fingerprint for email is: 4D0E 92F2 E36A EC51 DAAE 5D97 CB8C 15FA EB6C EEA5.
US government pushed tech firms to hand over source code
At the US border, expect discrimination, detention, searches, and interrogation
Leaked: TSA documents reveal New York airport’s wave of security lapses
Meet the shadowy tech brokers that deliver your data to the NSA
Trump aides’ use of encrypted messaging may violate records law
An unsecured database leaves off-the-grid energy customers exposed
Inside the global terror watchlist that secretly shadows millions
Security flaws in Pentagon servers “likely” under attack by hackers
Revealed: How one Amazon Kindle scam made millions of dollars
US government subcontractor leaks confidential military personnel data