Groups

    Font sharing site DaFont has been hacked, exposing thousands of accounts

    Editor
    Another day, another hack! (via ZDNet)

    A popular font sharing site DaFont.com has been hacked, exposing the site's entire database of user accounts.

    Usernames, email addresses, and hashed passwords of 699,464 user accounts were stolen in the breach, carried out earlier this month, by a hacker who would not divulge his name.

    The passwords were scrambled with the deprecated MD5 algorithm, which nowadays is easy to crack. As such, the hacker unscrambled over 98 percent of the passwords into plain text. The site's main database also contains the site's forum data, including private messages, among other site information. At the time of writing, there were over half-a-million posts on the site's forums.

    The hacker told ZDNet that he carried out his attack after he saw that others had also purportedly stolen the site's database.

    "I heard the database was getting traded around so I decided to dump it myself -- like I always do," the hacker told me. Asked about his motivations, he said it was "mainly just for the challenge [and] training my pentest skills." He told me that he exploited a union-based SQL injection vulnerability in the site's software, a flaw he said was "easy to find."

    While the hack of DaFont is far from the biggest data breach we've covered, it could still cause considerable headaches for a lot of people -- even if the free site didn't store any payment or other critically sensitive data. That's because this breach involves a huge trove of email addresses and passwords that could allow a hacker to break into other, more sensitive sites and services that share the same password.

    In the case of corporate accounts, that could lead to further data breaches of sensitive and confidential business files. Among the confirmed email addresses we found in the breach, several accounts belonged to Microsoft, Google, and Apple corporate accounts.

    Dozens of accounts were also associated with UK and US government agencies.

    Anyone thought to be affected by the breach can now search for their data in Have I Been Pwned.

    2 Comments

    msmyth

    ..."I heard the database was getting traded around so I decided to dump … ..."I heard the database was getting traded around so I decided to dump it myself -- like I always do," the hacker told me. Asked about his motivations, he said it was "mainly just for the challenge [and] training my pentest skills." He told me that he exploited a union-based SQL injection vulnerability in the site's software, a flaw he said was "easy to find."...



    https://imgs.xkcd.com/comics/exploits_of_a_mom.png

    [ xkcd.com/327/ ]

    How much for 100k
    lol

    Edited by: "whelan189" 19th May
    Post a comment
    Avatar
    @
      Text
      Top Discussions
      1. Win 1 of 3 x £1000 Selfridges vouchers with Virgin Trains98
      2. Win a safari adventure & claim a free Chicago Town pizza coupon33
      3. Win a Free minion usb stick88
      4. Win a pair of running shoes up to the value of £100 with UKRunChat99

      See more discussions