nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

DIY website builder Weebly was secured feebly

43m credentials lifted, plus 58m more at Modern Business Solutions and 22m from FourSquare

By Simon Sharwood, 21 Oct 2016

Another day, another three major breaches: this time at do it yourself website builder Weebly, which has been revealed as secured feebly, as were FourSquare and Modern Business Solutions.

A letter to users kindly forwarded to The Register by reader “Ham” explains the situation Weebly as follows:

Weebly recently became aware that an unauthorized party obtained email addresses and/or usernames, IP addresses and encrypted (bcrypt hashed) passwords for a large number of customers. Encrypted passwords are difficult to read or decode, and we do not believe that any customer website has been improperly accessed.

The statement goes on to say “We do not store any full credit card numbers, and so we do not believe that any credit card information which can be used for fraudulent charges was a part of this incident.”

But the service nonetheless says “As a precautionary security measure, we suggest that you reset your password.”

Mass-crack tracker LeakedSource says Weebly was cracked in February 2016, and that it is in possession of data describing 43,430,316 users. Thankfully the passwords are well-hashed, so the site can only report that gmail, yahoo and hotmail email addresses dominate the data dump.

LeakedSource also mentions, quite casually because “We are virtually up to our eyeballs with hundreds more databases”, that it's aware of 58,848,226 users' records from Modern Business Solutions and 22,534,984 credentials. The latter breach was in December 2013, but Modern Business Solutions was popped just this month.

Scarcely a week passes without an entity holding millions of user records being compromised, with news of their problems often trailing cracks by weeks or months. As ever a sound response to the state of utter insecurity in which we find ourselves is to employ a password manager, not re-using passwords and only using discrete passwords and credentials for the services that expose you to financial loss. ®

The Register - Independent news and views for the tech community. Part of Situation Publishing