An allegedly stolen Wattpad database containing 270 million records were being sold in private sales for over $100,000. Now it is being offered for free on hacker forums.
Wattpad is a web site that allows members to publish user-generated stories on a variety of different topics. The site is immensely popular and is ranked as the the 150th most visited site worldwide.
Since July 7th, BleepingComputer has been tracking the rumored private sale of a Wattpad database containing over 200 million records.
In an anonymous tip, BleepingComputer was told that this database was being sold by Shiny Hunters, a group known for selling company databases acquired in data breaches.
At the time, Cyber intelligence firm Cyble told BleepingComputer that this database was being sold for ten bitcoins, or almost $100,000 at the time.
BleepingComputer contacted Shiny Hunters about this breach, and at first, they were concerned about how we knew about the sale, and then later denied having anything to do with it.
A few sample records of this database seen by BleepingComputer contain user names, names, hashed passwords, email addresses, and general geographic location.
BleepingComputer contacted the users in this sample, and one user confirmed with BleepingComputer that the listed information was accurate.
BleepingComputer was told by Kiel Hume, Director of PR & Communications at Wattpad, that they are working with external security consultants to investigate the potential breach.
"We continue to investigate the information you’ve shared and its potential origins. At this time we’ve enlisted external security consultants to aid our investigation. We take the security of our users and their data extremely seriously, and our teams will be working around the clock to uncover any new information."
Update 7/14/20 4:08 PM EST: Hume sent BleepingComputer an updated statement saying that Wattpad is working to contain and remediate the breach, but that no financial information, phone numbers, stories, or private messages were accessed during the incident.
We are aware of reports that some user data has been accessed without authorization. We are urgently working to investigate, contain, and remediate the issue with the assistance of external security consultants.
From our investigation, to date, we can confirm that no financial information, stories, private messages, or phone numbers were accessed during this incident. Wattpad does not process financial information through our impacted servers, and active Wattpad users’ passwords are salted and cryptographically hashed.
We are committed to maintaining the trust that our users have placed in us to ensure the safety and security of the Wattpad community.
Wattpad database now free on a hacker forum
While the database was previously being sold for the high price of $100,000, the database is now being offered for free and claims to contain 271 million users.
Today, a new user was registered on a hacker forum using the name and photo of ZDNet reporter Catalin Cimpanu and began offering this alleged database for free.
Cimpanu, who is a former reporter at BleepingComputer, is likely being impersonated due to his recent article about the hack of Vinny Troia's NightLion security firm, who claims to be revealing the identity of Shiny Hunters and other data breach sellers this week.
The user offering this database claims that 145 million passwords are hashed with bcrypt, and the other 44 million are hashed with SHA256.
This mixture of hashing methods was used in the samples seen by BleepingComputer.
The number of users reported to be in this stolen database conflicts with the reported 80 million total users on Wattpad in 2019.
BleepingComputer has not independently verified this database's authenticity other than the limited samples shared with us last week.
Update July 20th: Wattpad released an updated statement that they are resetting all user's passwords "out of precaution".
"Out of precaution, and as is common in these situations, we are resetting passwords and advising users to change passwords on other sites if they used the same password."
Comments
fairlyaround - 3 years ago
my account was one of many that was breached, but I want to know what information of mine that was released because of a personal situation that is going in in my life right now. is there any way I can be contacted to see which information of mine was leaked and if it is correct?
jamiezoe - 3 years ago
<p>you might want to input your email into https://haveibeenpwned.com/ they will tell you what sites and what kind of data breach was associated with your email. pretty nifty tool and its popular checking place to see what email security lapses are there across your organization.</p>
lisabreee - 3 years ago
how is a website like this allowed on the net??