Font sharing site DaFont has been hacked, exposing thousands of accounts

(Image: file photo)A popular font sharing site DaFont.com has been hacked, exposing the site’s entire database of user accounts.
Usernames, email addresses, and hashed passwords of 699,464 user accounts were stolen in the breach, carried out earlier this month, by a hack who would not divulge his name.
More security news
Expanded state hacking powers make a stealthy return to German agenda

Congress introduces bill to stop US from stockpiling cyber-weapons
高科技企业的员工泄露机密,不仅会损失商业竞争力,更会波及供应链的利益,最终会损害企业信誉和形象。所以要加强各方面的控制措施,特别是提升员工和供应商的安全保密意识教育。
How WannaCrypt attacks
​Google Play Protect wants to stop your Android apps from going rogue
The passwords were scrambled with the deprecated MD5 algorithm, which nowadays is easy to crack. As such, the hacker unscrambled over 98 percent of the passwords into plain text. The site’s main database also contains the site’s forum data, including private messages, among other site information. At the time of writing, there were over half-a-million posts on the site’s forums.
The hacker told ZDNet that he carried out his attack after he saw that others had also purportedly stolen the site’s database.
“I heard the database was getting traded around so I decided to dump it myself — like I always do,” the hacker told me. Asked about his motivations, he said it was “mainly just for the challenge [and] training my pentest skills.” He told me that he exploited a union-based SQL injection vulnerability in the site’s software, a flaw he said was “easy to find.”
The hacker provided the database to ZDNet for verification.
We verified a little over a dozen accounts by enumerating disposable email accounts with the site’s password reset function. (We have more on how we verify breaches here.) In each case, the site validated the email address and was sent a new password (in plain text) to the disposable email account.
The hacker also provided the database to Troy Hunt, who runs breach notification site Have I Been Pwned.
Hunt’s analysis of the database confirmed 637,340 unique email addresses in the database, with 62 percent of those email addresses already in his database.
While the hack of DaFont is far from the biggest data breach we’ve covered, it could still cause considerable headaches for a lot of people — even if the free site didn’t store any payment or other critically sensitive data. That’s because this breach involves a huge trove of email addresses and passwords that could allow a hacker to break into other, more sensitive sites and services that share the same password.
In the case of corporate accounts, that could lead to further data breaches of sensitive and confidential business files. Among the confirmed email addresses we found in the breach, several accounts belonged to Microsoft, Google, and Apple corporate accounts.
Dozens of accounts were also associated with UK and US government agencies.
We made several attempts to contact the site’s registered owners, Rodolphe Milan and Nicolas Peton, but our emails and voicemails were not returned in the days prior to publication.
Anyone thought to be affected by the breach can now search for their data in Have I Been Pwned.
Contact me securely
Zack Whittaker can be reached securely on Signal and WhatsApp at 646-755–8849, and his PGP fingerprint for email is: 4D0E 92F2 E36A EC51 DAAE 5D97 CB8C 15FA EB6C EEA5.
Read More
ZDNET INVESTIGATIONS
US government pushed tech firms to hand over source code
网络安全法宣传视频系列001《网络安全法》背景知识
At the US border, expect discrimination, detention, searches, and interrogation
Leaked: TSA documents reveal New York airport’s wave of security lapses
Meet the shadowy tech brokers that deliver your data to the NSA
Trump aides’ use of encrypted messaging may violate records law
An unsecured database leaves off-the-grid energy customers exposed
Inside the global terror watchlist that secretly shadows millions
Security flaws in Pentagon servers “likely” under attack by hackers
Revealed: How one Amazon Kindle scam made millions of dollars
US government subcontractor leaks confidential military personnel data
用假文档和蜜罐系统诱捕数据窃贼的行为可能招致黑客放弃继续攻击或者由于恼羞进而疯狂报复,通常搞搞蜜罐系统迷惑和警告黑客即可,假文档容易引火上身。

猜您喜欢

各地干部群众热议习近平在一带一路论坛上的讲话
国家安全法-全民安全教育日动画-教授海外遇谍记
网络安全法动漫宣传片 002 国家网络安全的现状与重要性概述
视频:当着交警的面碰瓷!结果太惨了
OHSNAPBOUTIQUE TRINITY-PUP
适用于任何行业的EHS电子教学课程