SitePoint is an Australian-based website, and publisher of books, courses and articles for web developers. The company has disclosed a data breach and notified its users via email.
Threat actors offered for sale an archive containing user details for one million SitePoint users on a cybercrime forum.
In December, security experts from Bleeping Computer reported that a threat actor was selling user records allegedly stolen from twenty-six companies on a hacker forum.
The total volume of data available for sale is composed of 368.8 million stolen user records, 1 million records belong to SitePoint.
“We have recently confirmed that SitePoint’s infrastructure was breached by a third party and some non-sensitive customer data was accessed as part of this attack.” reads the data breach notification share by El Reg.
“As a precautionary measure, while we continue to investigate, we have reset passwords on all accounts and increased our required length to 10 characters. Next time you login to SitePoint you will need to create a new password.”
The company revealed that threat actors compromised an unnamed “third party tool we used to monitor our GitHub account.”
“This allowed access through our codebase into our systems. This tool has since been removed, all of our API keys rotated and passwords changed,” the company said.
Data accessed by the threat actors could be exploited to access users’ codebase and system, the good news is that no financial information was exposed because it was not stored on the company system.
Both ZDNet and Bleeping computer speculate that the third-party tool compromised by attackers is the Waydev app.
In response to the security breach, the company has reset user passwords for all its users.
The company pointed out that passwords were hashed with the bcrypt algorithm and salted, which is considered secure and makes it hard to crack passwords.
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
(SecurityAffairs – hacking, SitePoint)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.