43 million customer credentials were stolen from a web design company following a major breach in February targeting Weebly, the San Francisco-based platform that lets customers build their own website through a drag and drop interface, announced LeakedSource. Weebly, the San Francisco-based platform empowers customers to build their own website through a drag and drop interface.
The stolen information includes password hashes, emails, usernames and IPs from almost the entire client database. In spite of the strong password hashing algorithm, criminals were still able to get into the system.
“Passwords were stored using uniquely salted Bcrypt hashing and a cost factor of 8,” found LeakedSource. “This method of storing passwords gets a 7.5 out of 10 from us because there is lots of room for improvement but far from the worst we’ve seen.”
Weebly and LeakedSource are working together to make sure all users are informed and reset their passwords. Weebly now uses a cost factor of 10 for their password storage and assures their customers they don’t store any credit card information on their servers,
“We do not store any full credit card numbers on Weebly servers, and at this time we’re not aware that any credit card information that can be used for fraudulent charges was part of this incident. We are taking steps to notify our customers – and we are taking swift action to address the situation,” commented the company.
LeakedSource names two other high-profile breaches – the compromise of 58,848,226 Modern Business Solutions users in October 2016 and 22,534,984 FourSquare accounts in December 2013.