Minted Finally Fessed up to a Data Breach, but Only After 5 Million Records Were Found Online

Minted Data Breach

Yesterday, Minted, a marketplace where independent artists share and monetize their creations, announced that it had suffered a data breach. 'Outside forensic experts' helped Minted carry out an investigation which determined that on May 6, hackers stole users' names and login credentials. The telephone numbers, billing and shipping addresses, as well as the dates of birth of a portion of the affected individuals, may have also been stolen.

The breach doesn't appear to be that bad

The good news is, people's financial data has not been affected. In addition to this, the passwords are hashed and salted according to the notice, which means that hackers will have a hard time using them to compromise victims' Minted accounts. Mind you, out of an abundance of caution, all Minted customers are urged to change their passwords.

A data breach can never be good news, but it must be said that some incidents are worse than others. The Minted hack doesn't appear to be that bad. Indeed, some personal information was stolen, and potentially affected users must be on the lookout for phishing attacks, but based on what the company wrote, the danger isn't that huge. The timeline presented in the data breach notification might also lead you to believe that Minted did a good job of disclosing the incident. When you dig a bit further, however, you'll see that this wasn't really the case.

People have known about the Minted data breach for weeks

It must be said that a few details are missing from Minted's data breach notification. The notice doesn't say, for example, that the number of affected users sits at around 5 million. It also doesn't say what sort of hashing algorithm the company used for protecting the password. According to experts who have seen a sample of the stolen database, it's Blowfish, and it can be cracked with the right tools. Crucially, Minted didn't say that the data has been on sale for $2,500 for three weeks now and that more or less everybody knew about it.

The database stolen from Minted is now in the hands of a hacking group called Shiny Hunters. The crew came to prominence last month when it announced that it had stolen 91 million records from Tokopedia, one of Indonesia's largest ecommerce platforms. Shiny Hunters first asked the hacking community to help them dehash the passwords in the database, and they then offered it for sale on the dark web. The group is also connected to the sale of around 22 million records stolen from an online education platform called Unacademy. In that case, the hashing algorithm was strong, which brought the price down considerably, and to ensure that their income is steady, a few days later, the hackers put up for sale no fewer than ten additional databases stolen from various online services. As you may have guessed already, Minted was one of them.

The massive dump affected millions of people, and it was important to inform them about it as quickly as possible. Sadly, this didn't happen. News outlets like ZDNet that reported on the story tried to get in touch with all affected companies, but their emails remained largely ignored. In yesterday's notification, Minted representatives said that they learned about the incident on May 15, despite the fact that reporters were alerting them about it a full week before that.

Eventually, victims started admitting that they've been through a data security incident, and Minted is the latest one to fess up. They have all failed to disclose what took them so long, though.

We can imagine that disclosing a data breach probably isn't the easiest thing in the world for the companies' PR teams, but in the wake of such incidents, the main focus for everybody should be users' security, and by delaying the disclosure, service providers are doing nothing more than putting their customers at even more risk.

May 29, 2020

One Comment

  • Micheas:

    One thing that takes awhile to disclose a breach is that sometimes it isn't clear how bad the breach was.

    Minted uses stripe for credit card processing so they don't hold the credit card information. But if the JavaScript had been compromised then the attackers could have lifted the credit card information. The investigation and forensics isn't just there snap of a fingers. They may have decided that they needed to fix the issue before disclosing it.

    That and CCPA means that it was call in the lawyers and figure out what to do to limit the firms legal liability.

    Generally PR isn't the reason for excessively slow disclosures but rather engineering failures that are proving difficult to fix.

Leave a Reply