Cybercriminals are highly motivated in targeting database that contains a large amount of personal data. A company database is a gold mine that allows attackers to make a huge profit and is sometimes used for operative and personal data hostage.
Hacker successfully stole a total of 8.3 million of DailyQuiz user accounts.
DailyQuiz is a web-based service formerly known as ThisCrush.com that allows the users to create, update a personal page, and view other online pages identified as Crush Tag or Crush Page.
The stolen data are for sale on Telegram channels and underground forums. In January 2021, the report erupted that the data had been sold for around $2000 US dollars in Cryptocurrency. The cyber-attackers have effectively exfiltrated the database of DailyQuiz.me that holds approximately 12.8 million users containing plaintext passwords, email addresses, and 8.3 million IP addresses of users.
The stolen data has been passed on with different data dealers and later landed with security researchers. This May 2021, the stolen data has been leaked publicly and is added on the site Have I Been Pwned, wherein users of DailyQuiz.me can check if their account details are included in the breach.
With the account information leaked publicly online, threat actors may use these to execute brute force attacks such as credential stuffing.
The credential stuffing attack uses a bot for automation to log in with multiple user accounts while using different IP Addresses across various websites. It can monitor successful logins and acquire valuable information such as credit cards and personally identifiable information (PII) from the compromised accounts.
How to secure information from Cybercriminals
Companies that do not value the database security may face damages such as leakage of confidential information. Security lapses like storing the user’s password in plaintext can compromise the user’s identity and privacy. Therefore, a proper security plan, effective implementation, and thorough testing can lessen the possibility of being hacked.
In addition, users are advised to use a strong, unique, and different password for each account online to prevent the further risk of exposing more valuable information online.
Users and companies may add another layer of data security such as Multi-factor authentication (MFA) for the sign-in process. Effectively implementing the MFA plays a vital role as the password alone can pose a security threat for compromised personal and company accounts.