Smartphone news and reviews site MoDaCo has admitted to a data breach.
Email and IP addresses together with (hashed) passwords and usernames for up to 875,000 MoDaCo accounts were dumped online. Early suggestions are that the breach happened in January 2016. Indications are that a compromised admin account was the root cause of the breach, as MoDaCo’s O’Brien explains:
We have determined that the breach is likely to have occurred by way of a compromised Administrator account. We have taken action to prevent this vector being accessible in this way in the future, for us it is a lesson learned, albeit in a very difficult way to stomach. We are also liaising with the CMS provider to determine additional ways to mitigate similar attacks going forward.
Mark James, IT security specialist at ESET, noted that some forum members have already expressed displeasure about only finding out about the breach from a third party source rather than MoDaCo directly.
“Data breaches happen all the time, this particular one is causing a bit of a storm on their own forums as the users would like to have received notification from the owners first not through a third party site,” James said. “Looking through the forum posts, many of the users have not used the site for a while and were looking for means to delete their accounts.”
“The problems of course are that when we create usernames and passwords on sites that reflect our current interests if we then move on or stop using those sites it’s sometimes difficult or almost impossible to delete those redundant accounts,” he added. ®