Events and ticketing app Peatix has warned users of follow-on cyber-attacks after admitting it suffered a data breach earlier this month.
The firm claimed to have been informed by a third party on November 9 that account information had been “improperly accessed and obtained.
“It has been confirmed that information, including names, email addresses, salted and hashed version of passwords, nicknames, preferred languages, and countries and time zones where the accounts were created, about some of our users was involved,” it noted.
Fortunately, because the company does not store passwords in plain text or full credit card details, the fallout from the breach should be fairly contained.
However, it is still requesting users to reset their passwords, and warned of potential follow-on credential stuffing and password spraying attacks, which suggests that its encryption may be crackable.
“If your information was obtained by bad actors, they could use it to contact you (e.g. by sending you emails) or to attempt to gather personal information from you by deception (known as phishing attacks),” the notice continued. “They may claim to be Peatix or send emails appearing to be from Peatix.”
Paul Bischoff, privacy advocate at Comparitech.com, argued that the level of risk exposure for affected customers will depend on details that haven’t yet been divulged by the company.
“Peatix has not stated what algorithm is used to hash and salt the passwords in the database, which would give us a better indication as to whether users' passwords are at risk,” he explained.
“I've seen plenty of breaches of passwords that were hashed with deprecated algorithms such as SHA1 or MD5 that can be cracked with little effort, so it would be good to know what algorithm was used to encrypt those passwords.”