DaFont.com, an archive of freely downloadable fonts, was hacked earlier this month. The unidentified hacker took advantage of the platform’s old-fashioned, easy-to-hack password hashing system based on MD5 algorithm, known for its limitations, and exploited a union-based SQL injection vulnerability.
The hacker then exposed the website’s entire database of registered user accounts of almost 700,000 usernames, email addresses and passwords in plaintext, making it easy to hack other accounts associated with the emails or that reuse the compromised passwords.
The leaked database includes data and user conversations collected from the forum, as well as corporate accounts from Microsoft, Google, Apple, and government agencies from the US and UK, according to research conducted on the database by Troy Hunt and ZDNet team.
“I heard the database was getting traded around so I decided to dump it myself — like I always do, mainly just for the challenge [and] training my pentest skills,” the hacker explained in an interview for ZDNet.
Users can double check if their contacts were affected on Troy Hunt’s website. To protect their devices and accounts, all account owners are advised to immediately change their passwords and create strong, unique one, especially if they make a habit of reusing them for multiple accounts, and set up multi-factor authentication.