A massive Weebly data breach has been uncovered that impacts 43,430,316 customers who have previously created websites using the drag and drop website creation platform. The data breach is understood to have occurred around 8 months ago, although Weebly has only just been informed that it was attacked. Rapid action was taken to shore up security and protect customers.
The security breach came to light after an anonymous individual sent the stolen credentials to LeakedSource. The LeakedSource database has now been updated and Weebly was informed of the breach. Notification emails started to be sent to customers on Thursday October 20, 2016.
At present, the cause of the breach is unknown. An investigation into the breach is ongoing although steps have already been taken to enhance security and protect customers. An external security firm has been brought in to help enhance network security protections to prevent future attacks. Weebly is unaware of any of the stolen data being used inappropriately.
The stolen data includes usernames, encrypted passwords, IP addresses, and email addresses. The passwords were salted and encrypted with bcrypt – an 11-year old security algorithm.
Fortunately, the Weebly data breach was nowhere near as bad as it could have been. Weebly is one of the most popular website creation and hosting platforms and tens of millions of websites have been created by customers. Weebly believes the strongly salted passwords – each password was uniquely salted and encrypted – have prevented the criminals behind the attack from targeting its customers’ websites.
Measures already taken to protect customers include resetting passwords on all affected accounts, and adding new password requirements. Weebly has also installed a new dashboard that allows customers to view recent login attempts to allow them to check whether their credentials have been used to gain access to their accounts. Further information will be provided to customers as and when it becomes available.