Social media data analytics tool Social Blade has announced a breach that affected its systems on December 14 and exposed users’ personally identifiable information (PII), which was then offered for sale on the dark web.
The company did not issue a public warning about the incident but has warned users directly via email. One of the users recently posted the letter’s content on the popular new aggregator platform Ycombinator.
“On December 14, we were notified of a potential data breach whereby an individual had acquired exports of our user database and was attempting to sell it on a hacker forum,” reads the email.
“Samples were posted, and we verified that they were indeed real. It appears this individual made use of a vulnerability on our website to gain access to our database.”
The company has confirmed the data does not include any credit card information, but it does contain other data that could be considered PII, including email, IP and home addresses, as well as password hashes.
“While account password hashes were leaked, we have never stored your password in plain text, so your password is still secure,” Social Blade added.
According to Erich Kron, security awareness advocate at KnowBe4, while it is good that in this case, passwords were hashed, social engineers can use information such as what was stolen to create more realistic attacks, especially against high-value targets.
Client IDs and tokens for the company’s business API users, auth tokens for connected accounts and other non-personal and internal data types were also compromised.
“We’ve already addressed the method that this third-party employed to gain access to the system, and we’re doing additional reviews to ensure that the security of all of our systems are further hardened to prevent future incidents,” the company explained.
“In this case, I am impressed that Social Blade issued a statement as quickly as they did and appeared to be very forthcoming,” Kron added. “Given the likelihood of breaches for many organizations, this practice is one that should be applauded.”
Further, the security expert called on victims of the breach to be aware of a potential increase in targeted email phishing, vishing and smishing attacks.
“Although the passwords were hashed, it’s a good idea to change [them], ensuring that the password is unique to this site and not used elsewhere.”
Data breaches increased by 70% in Q3 2022, according to an October Surfshark report. The last quarter of the year is also experiencing a further increase, particularly in Australia.