Quidd, an application designed for trading various digital collectibles like cards, toys, and stickers, suffered a massive data breach that compromised the personal information of almost 4 million customers.
Researchers at Risk Based Security recently discovered that login credentials of almost 4 million Quidd users were stored in a Dark Web hacking forum. These stolen data included Quidd usernames, email addresses and hashed passwords and was available to Dark Web hackers without any sort of restrictions.
According to the security firm, hacker group ProTag has claimed to have orchestrated the cyber attack on Quidd. The hackers uploaded the stolen data on a Dark Web forum on 12th March 2020 for a short period and then uploaded the data again on 29th March. Furthermore, ZDNet also learned from a data trader that the hackers placed ads about the stolen data on dark web forums as early as in October last year.
“A Risk Based Security researcher, who monitors the forum, confirmed the posting came from a reliable source. After initial testing, the data appears to be valid. The leaked data sets include email addresses, usernames, and bcrypt hashed passwords of 3,954,416 users. They also included professional email addresses of thousands of well-known companies like Microsoft, Experian, AIG, Accenture, Target, University of Pennsylvania, Virgin Media and Tutanota,” the researchers said.
The researchers found that a hacker has already cracked more than a million passwords and another hacker is currently selling more than 135,000 cracked Quidd passwords. Although Quidd has not published any statement for the data breach, researchers have advised Quidd users to change their account passwords as soon as possible.
Organisations should adopt tokenisation to render stolen data unusable
Commenting on the breach suffered by Quidd, Anna Russell, EMEA VP at comforte AG, told TEISS that email addresses, usernames and hashed passwords are examples of valuable information and therefore, it is no surprise that hackers frequently target the infrastructure that holds this critical information.
"While there is no sure-fire way to prevent these hackers from accessing this information, there are solutions that protect the valuable information itself. While Quidd are fortunate that the passwords were hashed through bcrypt-protected hashes, this means that it is possible for the information to be unencrypted to plain text. Indeed, more than 100,000 passwords have already been deciphered, and more are sure to follow. Companies should look to deploy data security tactics such as tokenization. This means that sensitive information is rendered unusable for unauthorized access, instead of providing a challenge for determined hackers."
Stuart Sharp, VP of solution engineering at OneLogin, also told TEISS that the challenge for the industry is to make it easier for users to improve their security. The quick win is to add MFA on top of passwords. Even weaker forms of MFA like email or SMS OTP messages will greatly reduce the threat posed by compromised passwords, but a range of MFA options should be offered to allow individuals to choose more secure ones when they are ready.
“In the longer run, industry needs to help individuals in their desire to move towards passwordless authentication. Everyone from hardware manufacturers to App Developers need to embrace this trend to offer better security that is easy for people to adopt and use on a daily basis,” he added.