UPDATED 21:55 EST / NOVEMBER 24 2020

SECURITY

User data stolen from event organizing service Peatix offered for sale online

Event organizing service Peatix Inc. has suffered a data breach with the details of up to 6.77 million users offered for sale online.

The data breach, reported to have occurred earlier this month, included full names, usernames, emails and hashed passwords. According to ZDNet today, the user data was being advertised for sale via Instagram Stories, Telegram channels and on several different hacking forums.

The data was stolen via an unspecified “unauthorized access” that occurred between Oct. 16 and 17. The company, which has offices in both Japan and New York, disclosed the incident via a press release in Japanese Nov. 17. TechCrunch Japan reported that the data stolen primarily consisted of government event-related data, specifically from Kagoshima, Saitama, Utsunomiya City, Fukui City and Miyazaki City. It’s not clear whether any data from users outside of Japan was also stolen, but the company does have customers outside of Japan.

Peatix said it has blocked the unauthorized access to its database and is strengthening its security measures with the assistance of external security firms. The company also reset all user passwords as a precaution.

The company also offers an online live event platform, a service that has become popular in the age of COVID-19. The company pitches Peatix Live as a “high-quality viewing solution for event organizers to create secured and paid online live experiences.” Tapping into Peatix’s event platform, the service is said to provide attendees with a secured and exclusive avenue to enjoy paid content through a proprietary network and player via Peatix’s website and mobile apps on iOS and Android.

“The data leak containing millions of Peatix usernames, emails and hashed passwords puts these victims around the world at risk for fraud and account takeover,” Robert Prigge, chief executive officer of identity verification company Jumio Corp., told SiliconANGLE. “Threat actors can decipher hashed passwords and leverage bots and credential stuffing to try these login credentials across thousands of websites (including banking portals, social media accounts, healthcare sites and more) in search of an opening.”

Peatix’s response to reset passwords isn’t enough to keep user accounts protected, Prigge added. “Instead, online organizations should turn to a safer and more secure alternative like biometric authentication, which will confirm the authorized user is the one logging in, ensuring personal data is protected from cybercriminals and data breach brokers,” he said.

Boris Cipot, senior sales engineer at electronic design automation company Synopsys Inc.’s Software Integrity Group, stolen data usually shows up on secretive deep web forums or pages. In this case, though, social media platforms such as Instagram and messaging app Telegram were used to promote stolen names, usernames, hashed passwords and email addresses.

“Peatix has issued a notification on their webpage about the breach and are also contacting users to change their password on the platform to avoid possible account misuse,” Cipot added. “Users should, however, also change their passwords on other services where they have been reused. It is also critical that users are vigilant as their data may be used in phishing campaigns in an attempt to gather additional data or even gain access to their computer. As such, be wary of emails with attachments or links.”

Image: Peatix

Since you’re here …

Show your support for our mission with our one-click subscription to our YouTube channel (below). The more subscribers we have, the more YouTube will suggest relevant enterprise and emerging technology content to you. Thanks!

Support our mission:    >>>>>>  SUBSCRIBE NOW >>>>>>  to our YouTube channel.

… We’d also like to tell you about our mission and how you can help us fulfill it. SiliconANGLE Media Inc.’s business model is based on the intrinsic value of the content, not advertising. Unlike many online publications, we don’t have a paywall or run banner advertising, because we want to keep our journalism open, without influence or the need to chase traffic.The journalism, reporting and commentary on SiliconANGLE — along with live, unscripted video from our Silicon Valley studio and globe-trotting video teams at theCUBE — take a lot of hard work, time and money. Keeping the quality high requires the support of sponsors who are aligned with our vision of ad-free journalism content.

If you like the reporting, video interviews and other ad-free content here, please take a moment to check out a sample of the video content supported by our sponsors, tweet your support, and keep coming back to SiliconANGLE.