Data for 18,000 users stolen in the incident. The website of the Faithless British EDM band has been breached and the personal information of over 18,000 fans stolen by a yet unknown assailant,The Independent reports after being notified by cyber-security vendor CyberInt.
Last September, CyberInt security experts discovered a listing on the Dark Web containing a database dump of around 18,000 users that registered on the faithless.co.uk portal, the band’s official website.
The data was being sold for a few hundred dollars, and was said to contain usernames, emails, and passwords for each account.
While no personally identifiable information (PII) was included in the exfiltrated data, it is a common practice for users to reuse passwords for multiple accounts. Attackers may use this information to break into other profiles that may hold more information about each user, even financial details that they can use to make fraudulent transactions.
Data breach took place last September, was due to an SQLi bug
CyberInt went on to inform the band, and after an investigation of the band’s website, the firm’s security specialists concluded that the breach took place after attackers managed to infect the server with malware by exploiting an SQL injection flaw.
The malware was used to allow hackers access to the server, from where they managed to steal the data undetected, and later cover some of their tracks.
The Independent reports that despite knowing of the incident since last September, Faithless has failed to notify fans of the data breach.
This poses a risk for all affected users since they might be exposed to cybercrime without even knowing it. The type of attacks that can be crafted from data stolen from the Faithless website includes basic phishing emails, but also more complex social engineering tricks, if the hackers manage to tie their email or username with other online accounts.