ClixSense Hacked, 6 Million Plaintext Passwords Leaked
User names, passwords, home addresses and email addresses of over 6 million users of ClixSense have been exposed after hackers hit the ‘click for cash’ website. To make matters worse, the passwords were stored in plaintext.
ClixSense, which pays people to take online surveys, said so far details relating to 2.2 million users have appeared online, with another 4.4 million accounts potentially affected. Security researcher Troy Hunt said the exposed data included account balances, payment method and history, dates of birth, and home addresses.
In a statement ClixSense said the hacker gained access through an old server that was no longer in use but remained connected to the network. In the “short time” the hacker had access to ClixSense’s main database, he or she “was able to copy most if not all of our users table, ran some SQL code that changed the names on accounts to "hacked account" and deleted many forum posts.” All account balances were set to $0.00, the statement added.
The breached server has been taken offline, ClixSense added. User balances and forum posts were restored, and most users had their account name restored as well. A forced password change was carried out as well.
ClixSense’s statement added that user accounts are “now much more secure,” but did not add any further information about what steps had been taken to secure user accounts, such as adding proper protection to user passwords.
“To say this past week was a bit stressful is an understatement. It has taught us that regardless of what you do to stay secure, it still may not be enough. We are continuing to improve ClixSense security all around and we will continue to keep you updated on any new developments,” the statement added.
The fact that passwords were stored in plaintext means the hackers will not have to go through the process of decrypting them, meaning they can attempt to access user accounts on other services right away. Users are advised to change their passwords on any other website where it may have been reused.
Photo © Andrey_Popov
Source: Information Security Magazine