Hackers have reportedly stolen account details for about six million users of CashCrate, a site that pays users for completing surveys online. According to a report by Motherboard, who obtained the database, the compromised data includes users email addresses, names, passwords and physical addresses. “Judging by timestamps in the stolen database, the earliest accounts date way back to 2006, and come with full passwords,” reported Motherboard. However, if a user signed up to other services reusing the same password, hackers could also access the victim’s account on such sites, as well as their CashCrate account. Accounts from mid-2010 onwards appear to have passwords hashed with the “notoriously weak” MD5 algorithm, which means hackers could potentially crack the hashes to obtain the real login credentials.
“To verify that the data was legitimate, Motherboard attempted to create accounts with random email addresses included in the data. In every instance, this was not possible, because the email was already linked to an account on CashCrate,” the publication reported.
Furthermore, Motherboard noted that CashCrate does not use basic web encryption, including on its login page, meaning that credentials could be exposed to anyone in a position to intercept them. In an emailed statement, the site said it’s currently in the process of notifying its members about the breach. “While we’re still investigating the cause, at this point it appears that our third-party forum software was compromised, which led to the breach. We’ve deactivated it until we’re confident it’s secure,” said a CashCrate spokesperson. "We have also confirmed that any users who have logged in since October 2013 have passwords that are fully hashed and salted, and we're looking into why some inactive accounts have plaintext passwords. Those will be hashed and salted immediately," the spokesperson told Motherboard.