Hackers steal 43 million credentials from Weebly

News by Rene Millman

Web design platform notifying customers after being hit eight months ago

Web design platform, Weebly, has informed customers of a data breach that happened eight months ago. Weebly said in an email to customers that user IP addresses were also taken in the breach.


The breach, affecting 43,430,316 customers, happened in February earlier this year, however it is not known what the cause of it was.


The database compromise has only now come to light following a tip-off from an anonymous source to LeakedSource.


Weebly confirmed the breach in an email to users, which has also been posted on Facebook.


"Weebly recently became aware that an unauthorised party obtained email addresses and/or usernames, IP addresses and encrypted (bcrypt hashed) passwords for a large number of customers," the message said.


"Encrypted passwords are difficult to read or decode, and we do not believe that any customer website has been improperly accessed.


"We do not store any full credit card numbers, so we do not believe that any credit card information, which can be used for fraudulent charges was a part of this incident. As a precautionary security measure, we suggest that you reset your password."


Deepak Patel, director of security strategy for Imperva told SCMagazineUK.com that the ease of getting millions of stolen credentials, with the fact that users will always continue to reuse passwords simply because they are human, makes brute force attacks more effective than ever and forces application providers to take proper measures to protect their users.


“As we see again in this case, data from breaches is hot merchandise on both sides of the legitimacy fence with the security marketplace on one side and the dark market on the other,” he said.


“To prevent brute force attacks, security officers should not rely on password policies only, but should take specific detection measures like rate limiting login attempts, detecting login attempts from automated browsers, treating with caution logins from unexpected countries and anonymous sources, and comparing login data to popular passwords and stolen credentials.”


James Romer, EMEA chief security architect at SecureAuth, told SC that organisations cannot rely on consumers to remember numerous passwords in their active online lifestyles, instead they need to be encouraged away from the current reliance on a single point of authentication to continuous authentication, which developments in behavioural biometrics support.


“Not only does this render stolen credentials completely worthless across the breached site, it also means they cannot be used to compromise users more broadly,” he said.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews