This article is more than 1 year old
Trakt app users' personal data exposed: We were hit by a 'PHP exploit'... back in 2014
No payment info, but users' names, locations, email addies etc all 'lost'
Trakt, the makers of an app that monitors users' TV programme and movie viewing habits, has 'fessed up to falling victim to a PHP exploit more than four years ago that resulted in data leakage.
The company has written to customers revealing it "learned of a data breach that occurred back in December 2014. The breach involved some of our personal information, such as user name, email and encrypted password."
"Although this happened in 2014 we only recently discovered this, and wanted to promptly provide notice as part of our commitment to your privacy," the email added.
The "good news", Trakt told paying customers (the basic app is free), is that payment information was not included in the security wobble – that data is held by payment processors, rather than within its own servers.
But the data "lost" included email, usernames, encrypted passwords, names as well as customers' "location".
By January 2015, the business said it had moved from version 1 of its site to version 2 and "[i]n doing so, we removed any access outsiders had to your information".
This shift led to a "more secure algorithm for storing passwords", the platform change "removed the exploit" and the fresher infrastructure had "far tighter restrictions", Trakt claimed.
It has reset passwords for affected users, sending an email with a reset link. Presumably the same email address that was leaked. And Trakt assured customers: "We are diligently monitoring our site."
A probe into the leak is ongoing "but we believe a PHP exploit was used to capture data from Trakt users".
"We know you trust us with your data and we failed to protect it. We're incredibly sorry that this happened and hope that you'll let us earn you trust back," the email concluded. ®