Trakt Warns Users About a Password Leak That Happened in 2014
Every now and again, vast databases full of billions of usernames and passwords hit the internet, and most of us can't help but wonder how can hackers collect such a humongous quantity of data, seemingly without anyone noticing. Well, on Wednesday, a service provider called Trakt admitted that it had suffered a data breach, and the details around it might just give us a small insight into how these enormous data dumps come into existence.
Trakt is an online platform that lets you keep track of the movies and TV shows you follow and want to watch. It works on a number of different platforms, and a couple of years ago, Justin Nemeth, its founder, told Forbes that it uses that most trendy of technologies, machine learning, to give you suggestions on which TV shows and movies you might like. For a relatively modest monthly subscription, you can purchase a VIP plan that has additional features.
Trakt might not be the most recognizable name out there, but if you check out the #trakt hashtag on Twitter, you'll see that every minute, someone is using the service to tell the whole world what they're watching. In other words, it's got quite a few users who might want to know what Trakt said on Wednesday.
Trakt was a victim of a data breach
The company decided not to issue an official announcement, but this sort of news can never remain under wraps for long. Shortly after Trakt started notifying its users about the incident, people began sharing what they had received. Since Trakt has disclosed no further information, screenshots from the emails are all we've got to work with.
First of all, we should say that VIP users can remain calm. Their financial details weren't affected because they were processed and stored by a third-party payment processor. This, you might argue, is just as well because when credit card data is at stake, it's important to inform the cardholders as quickly as possible. And it's fair to say that the people who used their cards for a Trakt subscription weren't informed immediately after the breach.
Trakt was breached in 2014
The incident happened just over four years ago, in December 2014. Apparently, the miscreants broke in via a PHP exploit and stayed there until January 2015 when Trakt migrated their infrastructure to a new platform and unknowingly plugged the security hole. While they were in, the hackers managed to steal names, email addresses, usernames, location data, and "encrypted passwords". Trakt didn't say how many people were affected, but they noted that they learned about the incident "only recently" and that the investigation is ongoing which means that we might see more news in the future.
This is just one breach. Now think about the hundreds of similar incidents that people still don't know about. This is how vast databases such as the one discovered last week come to be. Whether they're useful or not, however, depends largely on how the breached services store users' passwords. Sadly, evidence suggests that in this particular aspect, Trakt wasn't doing such a good job at the time of the incident.
Password storage makes all the difference
As we mentioned already, Trakt says that it was storing people's passwords in "encrypted" format. Experience teaches us that this could mean that the passwords really were encrypted, but it could also mean that they were hashed. Either way, Trakt's management seems to understand that the passwords weren't stored properly.
All affected users received emails with password reset links and were urged to change it at websites where it might have been reused. With this, Trakt basically admits that the passwords were not securely stored. And this may very well mean that the data is now in one of the huge dumps we talked about recently.
Thankfully, the 2015 migration that closed the exploit also brought about "a more secure algorithm for storing passwords", which means that people who have signed up after January 2015 should be safe. At least that's the theory.