The SitePoint web professional community has disclosed a data breach after their user database was sold and eventually leaked for free on a hacker forum.
SitePoint is a website launched in 1999 that offers content and a community devoted to web professionals and developers. The site offers a premium membership that provides access to over 600 books, courses, and talks.
At the end of December 2020, BleepingComputer learned of a data breach broker selling the user databases for 26 different companies. One of the databases was for SitePoint.com, which the broker stated contained one million user records.
At the time, BleepingComputer contacted SitePoint with this information, but we never received a response to our repeated emails.
On January 26th, 2021, a threat actor known as ShinyHunters shared the database for Learnable.com for free on a hacker forum. The learnable.com redirects to the Sitepoint.com domain.
This database contains 1,020,959 people, including members' names, email addresses, bcrypt hashed passwords, date of birth, country, IP address used during registration, and other information.
SitePoint discloses the data breach
This week SitePoint users told BleepingComputer that they received extortion and fake cryptocurrency giveaway emails to addresses that they state were specifically created for and only used at SitePoint.
After these users complained to SitePoint, the company disclosed a data breach where they confirm that threat actors hacked their systems and stole member data.
"We have recently confirmed that SitePoint’s infrastructure was breached by a third party and some non-sensitive customer data was accessed as part of this attack."
"As a precautionary measure, while we continue to investigate, we have reset passwords on all accounts and increased our required length to 10 characters. Next time you login to SitePoint you will need to create a new password," SitePoint states in a data breach notification shared with BleepingComputer.
SitePoint says the hackers gained access to through a compromised third-party tool used to monitor their GitHub account. Using this tool and stolen API keys, SitePoint believes that the attackers could gain access to their codebase and system.
While SitePoint has not disclosed the compromised third-party tool's name, it fits the Waydev app breach's description that hackers used to breach other sites over the past year
SitePoint states that they have reset the passwords for all accounts, but those accounts configured to log in automatically, will still do so. For these users, SitePoint advises users to manually change their password via 'Account > Profile & Settings.'
No financial information, such as credit cards, is stored on their system and was not accessed by the threat actor.
What should SitePoint users do?
If you a member of SitePoint.com, you should immediately login to the system and perform a password reset.
If your SitePoint password is used at other sites, you should also change your password to a unique and strong one used only at that site.
As we know that threat actors are actively using the stolen data to conduct phishing and scam attacks, it is important to be on the lookout for further malicious emails.
These emails will attempt to steal sensitive information or trick recipients into installing malware.
Comments
Icepop33 - 3 years ago
It's very disheartening to hear that Sitepoint ignored your requests for comment earlier in your investigation and only disclosed the breach when their asses were on fire and they had no other recourse. It's pretty much SOP, but still not acceptable.
If I didn't have a lifetime plan, I would think about dropping them like a hot rock, not because of the breach, but because of their lack of communication with their customers, who might have liked to change certain passwords much earlier...had they known.
Also, stating that none of the information disclosed was of a sensitive nature is incredibly disingenuous and of course, plain wrong. I have lost that warm and fuzzy feeling for sure. What a shame. When will they learn that some things can be forgiven (a security breach), but others can't (a poor response)?
Lucanos - 1 year ago
I have a Sitepoint/Learnable account. I have not yet received an emails from them about this breach.
Luckily I use a password manager, and have long random passwords on most of my accounts.
But disappointing SitePoint would act so recklessly knowing they'd been breached, including failing to notify all users.