Vulnerability in third-party service exposed users’ personal information
A data breach at a popular video marketing website has exposed the personal information of 23 million users.
The breach, which occurred at an unnamed third-party service, affected Israeli video marketing platform Promo.com.
Exposed data includes first name, last name, email address, IP address, approximated user location based on their IP address, and gender, as well as encrypted, hashed and salted passwords.
“Although your account password was hashed and salted (a method used to secure passwords with a key), it’s possible that it was decoded,” Promo.com said.
“Your log in via your social media account was not affected.”
The breach was discovered by researchers at US cybersecurity firm Cyble, who found that the Promo.com user data was freely available on a dark net forum.
Confirming that the breach had taken place, Promo.com posted a security advisory on its website.
In a cached version of the advisory seen by The Daily Swig, the company said the breach also affected its affiliated company Slidely.
The post read: “On July 21, 2020, our team became aware that a data security vulnerability on a 3rd party service had caused a breach affecting certain non-finance related Slidely and Promo user data.
“We immediately stopped all suspicious activity and launched an internal investigation to further learn about what happened.”
The company said it has “removed” the vulnerable third-party service and has hired a cybersecurity team to further its protection against vulnerabilities.
Promo wasn’t the only company to apparently fall victim to a breach. Cyble also discovered that leaked data from online travel agency Hurb, based in Brazil, was available on the same forum.
Hurb hasn’t yet addressed this incident, which is said to involve 20 million personal data records. The Daily Swig has reached out to the travel firm and will update this article accordingly.
Commenting on the Promo.com breach, Javvad Malik, security awareness advocate at KnowBe4, said: “This is another incident where an organization is stating the breach has occurred from a third party, which may be true, but it's still a breach for which they are responsible.
“Whenever handing over data to third parties, or allowing them access, organizations need to ensure they have adequate security controls in place and they have means to test the effectiveness of those said controls.”
READ MORE DNA testing website claims data breach at rival company GEDmatch led to phishing campaign