Evite hit with data breach

News by Robert Abel

Names, usernames, email addresses, passwords, dates of birth, phone numbers, and mailing addresses were potentially affected in the incident at the online invitation company

Online invitation company Evite announced it was affected by a data breach involving the unauthorised access of customer information.

Evite learned of the incident in April 2019 and upon investigation, learned malicious activity started on February 22, 2019 when the unauthorised party acquired an inactive data storage file associated with the firm’s user accounts, according to a security update.

Names, usernames, email addresses, passwords, dates of birth, phone numbers, and mailing addresses were potentially affected in the incident.

Once the breach had been discovered, the firm notified the authorities and brought in an external forensics team to assess the situation and address any vulnerabilities in the system and remediate the incident.

Those affected are advised to change their password for any other account using shared credentials, review accounts for suspicious activity, be cautious of unsolicited communications that ask for personal data, and avoid clicking on the links or downloading attachments from suspicious emails.

Damien Radford, principal engineer at Bugcrowd told SC Media the Evite data breach isn’t unprecedented and the fact that it’s all old data likely means that someone made a backup of that data, or left an old database running that eventually got exposed via a vulnerability.

"As a business, this goes back to the importance of understanding your attack surface – since those old skeletons, while old, are still skeletons," Radford said.

"There is always the potential for exploitable data to exist in cold storage or backup formats created prior to business adopting a security posture as well. Therefore, it is extremely important for companies to ensure data retention policies include investigating and removing older backups, if no longer needed."

He added that it’s equally important to realise that any form of personal information could be used in a phishing or social engineering attack and that just because an export doesn’t contain a password does not mean it’s not exploitable.

This article was originally published on SC Media US

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews

Interview - Everyone has an Achilles heel: The new security paradigm

How can we defend networks now that the perimeter has all but disappeared?
Brought to you in partnership with ExtraHop