An Israeli marketing video firm this week announced a major breach of user data which appears to have impacted over 14 million accounts.
Promo, which describes itself as “the world’s #1 marketing video maker,” revealed in an online notice that a vulnerability in a third-party service was to blame for the incident, which also affected customers of its Slidely business.
Although social media log-ins and financial information were not compromised, the attackers appear to have made off with plenty of sensitive personal data.
“The exposed data includes first name, last name, email address, IP address, approximated user location based on the IP address, gender, as well as encrypted, hashed and salted password to the Promo or Slidely account,” said Promo.
“Although your account password was hashed and salted (a method used to secure passwords with a key), it’s possible that it was decoded.”
In fact, this does seem to be the case, after dark web traders were spotted selling the haul, including 1.4 million cracked passwords.
Although Promo failed to quantify the scale of the breach, HaveIBeenPwned has claimed the incident exposed 22 million records containing over 14.6 million unique email addresses.
Promo has informed all affected customers and will force a password reset as a precaution, although credential stuffing remains a threat.
“Users need to double-check their password usage on other websites and online services, ensuring they are not using the same passwords on those accounts,” warned Chris Hauk, consumer privacy champion at Pixel PrivacyUsers.