Wattpad Sends an Email Disclosing That Users' Passwords and Other Data Have Been Breached

Wattpad Data Breach

In early-July, researchers from a threat intelligence company called Cyble noticed that a cybercriminal was selling a large database that was allegedly full of the personal information of Wattpad users. The ad was placed on a hacking forum, and at 10 BTC, or around $9,500 at the current rate, the price was astronomical. If anyone has actually decided to pay for the data, they probably feel rather silly now because just a week later, the database was offered on the same hacking forum for free. But what prompted the hackers to put such a humongous price tag in the first place?

What did the hackers steal?

Wattpad's first statement came out on July 14, when the social network for readers and writers said that it's investigating the reports that its users' data is being traded on the underground forums.

The results of the investigation were published on Tuesday, and the statement was furnished with a list of FAQs. The report is being emailed to Wattpad users as we speak, and having seen it, we're finding it difficult to understand why the hackers initially wanted more than $9 thousand for the database.

Wattpad gave no technical details on how the crooks actually broke in and stole the data, but it published a pretty extensive list of the details they managed to get their hands on. In the database, you'll find:

  • Email addresses
  • Hashed passwords
  • IP addresses
  • Dates of birth
  • Profile display names
  • Lists of paid stories
  • Facebook and Google account IDs of the people who used third-party services to sign up

According to Troy Hunt's HaveIBeenPwned data breach reporting service, the passwords were hashed with bcrypt, which means that the hackers are going to have a hard time retrieving the plaintext credentials. Out of an abundance of caution, users' passwords will be reset, though this is pretty much standard practice in the event of a data breach.

Thanks to the strong hashing algorithm, the threat of account takeover is not that big, and Wattpad said that users' financial data was not affected by the attack, which is also good news.

It was a huge breach

Based on all that information, you, too, are probably struggling to figure out why the hackers initially decided that the data is worth close to $10 thousand. The only thing that could have served as a reason for the ridiculous asking price was the size.

About a year ago, BetaKit, a website dedicated to startup news, said that Wattpad had around 80 million active users in the summer of 2019. It looks like the userbase is much bigger now.

The number of affected accounts hasn't been announced officially yet, but we do know that the database was stolen in June, and it contains a whopping 270 million records. HaveIBeenPwned gives you the chance to check whether your email address was leaked during the breach, though chances are, if you've ever had an account at Wattpad, your data was most likely affected.

This is bad news because with the data now freely available, the risk of identity theft for you and millions of other users is quite high. Make sure you're a bit more vigilant than usual.

July 24, 2020

Leave a Reply