Fitness firm PayAsUGym has been hacked and the personal details of 300,000 customers compromised, according to reports.
The breach notice emailed to customers was republished by Australia-based security researcher Troy Hunt, and details the incident, which occurred last Thursday.
Although the firm claimed it doesn’t hold financial or credit card information, cyber-criminals can do a lot of damage with personal details, using them to craft more legitimate looking phishing attacks and/or trying to crack other online accounts the victims may reuse the same credentials on.
The notice continued:
“Passwords are encrypted when saved in the database, nevertheless I would encourage you to change your password.
Once alerted, we immediately closed down the breach and informed the Police and the Action Fraud Police, who are investigating the incident further. In addition, we have migrated all servers to new new servers in consultation with cyber security professionals.”
Although PayAsUGym bigs-up the fact passwords were encrypted, the firm actually used the widely discredited MD5 algorithm with unsalted hashes, meaning “they might as well be plain text,” according to Hunt.
If correct, that would appear to be yet another example of a major security oversight from an online business which should know better.
Luke Brown, EMEA general manager at Digital Guardian, claimed there could even be repercussions for corporate security managers if some PayAsUGym customers signed up with their work email.
“Using the compromised login details, hackers can attempt to hijack the email accounts, steal more data, and target the victims’ friends, family and place of work in advanced social engineering attacks,” he argued.
“This highlights why it’s so important for businesses to make sure that employees can’t use the same password for their personal and professional accounts. Implementing a good password policy will ensure that these increasingly common login ‘dumps’ can’t be used to access or steal sensitive corporate information."