DIY website builder Weebly was secured feebly

43m credentials lifted, plus 58m more at Modern Business Solutions and 22m from FourSquare


Another day, another three major breaches: this time at do it yourself website builder Weebly, which has been revealed as secured feebly, as were FourSquare and Modern Business Solutions.

A letter to users kindly forwarded to The Register by reader “Ham” explains the situation Weebly as follows:

Weebly recently became aware that an unauthorized party obtained email addresses and/or usernames, IP addresses and encrypted (bcrypt hashed) passwords for a large number of customers. Encrypted passwords are difficult to read or decode, and we do not believe that any customer website has been improperly accessed.

The statement goes on to say “We do not store any full credit card numbers, and so we do not believe that any credit card information which can be used for fraudulent charges was a part of this incident.”

But the service nonetheless says “As a precautionary security measure, we suggest that you reset your password.”

Mass-crack tracker LeakedSource says Weebly was cracked in February 2016, and that it is in possession of data describing 43,430,316 users. Thankfully the passwords are well-hashed, so the site can only report that gmail, yahoo and hotmail email addresses dominate the data dump.

LeakedSource also mentions, quite casually because “We are virtually up to our eyeballs with hundreds more databases”, that it's aware of 58,848,226 users' records from Modern Business Solutions and 22,534,984 credentials. The latter breach was in December 2013, but Modern Business Solutions was popped just this month.

Scarcely a week passes without an entity holding millions of user records being compromised, with news of their problems often trailing cracks by weeks or months. As ever a sound response to the state of utter insecurity in which we find ourselves is to employ a password manager, not re-using passwords and only using discrete passwords and credentials for the services that expose you to financial loss. ®


Other stories you might like

  • Intel to sell Massachusetts R&D site, once home to its only New England fab
    End of another era as former DEC facility faces demolition

    As Intel gets ready to build fabs in Arizona and Ohio, the x86 giant is planning to offload a 149-acre historic research and development site in Massachusetts that was once home to the company's only chip manufacturing plant in New England.

    An Intel spokesperson confirmed on Wednesday to The Register it plans to sell the property. The company expects to transfer the site to a new owner, a real-estate developer, next summer, whereupon it'll be torn down completely.

    The site is located at 75 Reed Rd in Hudson, Massachusetts, between Boston and Worcester. It has been home to more than 800 R&D employees, according to Intel. The spokesperson told us the US giant will move its Hudson employees to a facility it's leasing in Harvard, Massachusetts, about 13 miles away.

    Continue reading
  • Start using Modern Auth now for Exchange Online
    Before Microsoft shutters basic logins in a few months

    The US government is pushing federal agencies and private corporations to adopt the Modern Authentication method in Exchange Online before Microsoft starts shutting down Basic Authentication from the first day of October.

    In an advisory [PDF] this week, Uncle Sam's Cybersecurity and Infrastructure Security Agency (CISA) noted that while federal executive civilian branch (FCEB) agencies – which includes such organizations as the Federal Communications Commission, Federal Trade Commission, and such departments as Homeland Security, Justice, Treasury, and State – are required to make the change, all organizations should make the switch from Basic Authentication.

    "Federal agencies should determine their use of Basic Auth and migrate users and applications to Modern Auth," CISA wrote. "After completing the migration to Modern Auth, agencies should block Basic Auth."

    Continue reading
  • Arrogant, subtle, entitled: 'Toxic' open source GitHub discussions examined
    Developer interactions sometimes contain their own kind of poison

    Analysis Toxic discussions on open-source GitHub projects tend to involve entitlement, subtle insults, and arrogance, according to an academic study. That contrasts with the toxic behavior – typically bad language, hate speech, and harassment – found on other corners of the web.

    Whether that seems obvious or not, it's an interesting point to consider because, for one thing, it means technical and non-technical methods to detect and curb toxic behavior on one part of the internet may not therefore work well on GitHub, and if you're involved in communities on the code-hosting giant, you may find this research useful in combating trolls and unacceptable conduct.

    It may also mean systems intended to automatically detect and report toxicity in open-source projects, or at least ones on GitHub, may need to be developed specifically for that task due to their unique nature.

    Continue reading

Biting the hand that feeds IT © 1998–2022