Hackers got access to usernames, email addresses, and plaintext passwords thanks to improper hashing.
DaFont.com was hacked earlier this month, the company announced, exposing its entire database of almost 700,000 usernames, email addresses, and passwords in plaintext. If you have an account on the site providing freely downloadable fonts, it’s probably best you change your passwords to secure your other accounts.
At fault for this hack is the platform’s easy to hack password hashing system using the MD5 algorithm, as the hacker exploited a union-based SQL injection vulnerability.
The database not only contains usernames, emails addresses, and passwords, but also data and user conversations collected from the forum, as well as corporate accounts from Microsoft, Google, Apple, and government agencies across the United States and the United Kingdom.
“I heard the database was getting traded around so I decided to dump it myself – like I always do, mainly just for the challenge and training my pentest skills,” the hacker told ZDNet.
The details of the database can be found on Troy Hunt’s Have I Been Pwned site. Hunt’s analysis of the database revealed 637,340 unique email addresses in the data base, with 62% of those email addresses already featured in other hacks.
Users are advised to protect their devices and accounts, change passwords and make sure they create strong and unique ones.
MD5 needs to go
This isn’t one of the largest data breaches in history; it’s not even the largest one we’ve reported on this week, but it’s obvious once more that MD5 needs to be dropped by all sites still using it to hash passwords. 98 percent of the passwords affected in this hack were immediately cracked, with them being available in plain text in the dumped database.
DaFont is currently working on fixing the vulnerabilities exploited by the hacker. “We have taken immediate measures to limit malicious access to user’s accounts,” the site said.