Unprotected Evite website containing customers’ data exposed in a data leak

Data breach

A social planning and e-invitations service company named Evite detected a security breach when anunauthorized party acquired an inactive data storage file associated with the firm’s user accounts last April 15, 2019. This storage file contains customer’s information which includes names, usernames, email addresses, passwords, dates of birth, phone numbers, and mailing addresses.

 

Among the Alexa Top 3,000 most popular sites on the Internet,Evite is currently ranked at #2,744. In 2018, Alexa website claimed it had more than 100 million annual users. Recently, Evite was celebrating its 21st anniversary in the industry, and the firm was also one of the oldest sites around the internet which was founded in 1998.

 

Evite together with the help of security researchers conducted an investigation regarding the incident and found out that the attack started way back February 22, 2019. This when a hacker named Gnosticplayershas stolen over 932 million user records from 44 companies which includes 10 million Evite’s user records. Researchers undergo dark web monitoring and found out that these 10 million Evite’s user records weresold by hacker in the dark webmarket place for ฿0.2419 or approximately $1,900.

 

As soon as the breach has been discovered, Evite immediately notified the authorities and brought in external forensic consultants specializing in cyber-attacks to address the incident. Evite isnow working with security experts to provide cybercrime solutions within the company’s system. Since then, Evite continues to monitor their systems for unauthorized access, have introduced additional security measures, and have reset passwords for all affected users.As soon as the users’ password has been reset, users will be prompted to enter a new password on their next log-in. Also, users must be cautious of unsolicited communications that ask for personal data, review all accounts where they used the same or a similar Evite password for suspicious activity, and avoid clicking on the links provided by an unknown sender or downloading attachments from suspicious emails.

 

Evite assures that no financial information and Social Security numbers were compromised as they don’t collect these from their users. Also, all payment information is maintained by and stored on the internal systems of their third-party vendor. In addition to that, user’s information more recent than 2013 was not contained in the hacked data storage file.

 

A security researcher said in a statement that the Evite data breach isn’t unprecedented and the fact that it’s all old data likely means that someone made a backup of that data, or left an old database running that eventually got exposed via a vulnerability.As a business, this goes back to the importance of understanding your attack surface since those old skeletons, while old, are still skeletons. He also added that it is equally important to realize that any form of personal information could be used in phishing or social engineering attack and that just because an export doesn’t contain a password does not mean it’s not exploitable.

 

According to Alexa Top 3,000 most popular sites on the Internet,Evite is currently ranked at #2,744. In 2018,Alexa website claimed it had more than 100 million annual users. Recently, Evite was celebrating its 21st anniversary in the industry, and the firm was also one of the oldest sites around the internet which was founded in 1998.

About the author

Leave a Reply