SitePoint’s web development services company has alerted customers of a data breach that culminated in the theft of some of their information.
Developed more than two decades ago and headquartered in Melbourne, Australia, SitePoint provides users with access to videos and books that can help them understand the fundamentals of web creation.
The organization began warning customers last week that any data was compromised by a third party during a “recently confirmed” cyber-attack.
SitePoint said that the culprit is a third-party application it uses to manage its GitHub account, “which has been compromised by malicious parties.”
Although it did not provide further detail on the hacked instrument, SitePoint said it was exploited by hackers to control its infrastructure and codebase. In related attacks, the Waydev GitHub program was previously exploited.
The business rotated API keys and altered passwords in addition to eliminating the tool.
As a precautionary measure, we have reset passwords on all accounts while we continue to investigate, and have extended our required length to 10 characters,” the company told users.”
Names, usernames, hashed passwords, email addresses, and IP addresses are details that was potentially stolen during the incident. While hashed and salted passwords are kept, users are encouraged to update them in order to guarantee the security of their account.
If you have previously used our program, your browser will stay logged-in. However, by clicking on the option ‘Account > Profile & Settings’ and entering your information in the ‘Change your password’ section,’ SitePoint said, you can also generate a new password manually.
Users who use Email, Twitter, or similar social media to log into SitePoint won’t have to change their passwords.
The company further states that it has no evidence that the financial information of clients was compromised during the data breach, since it does not store credit card data but uses a credit card processing service from third parties.
The organization has confirmed that it is now “performing a full evaluation of the data breach,” as well as of its technology and compliance posture.
SitePoint did not include statistics on the number of users impacted, but BleepingComputer estimates that, based on information that appeared in December 2020, over one million may have been affected. Apparently, the organization was alerted at the time of the incident.
This infringement, and the fact that they were alerted months ago, serves as a reminder that companies need to have a mechanism in place to comply with and take them seriously with reports of possible data leaks. To encourage those affected to defend themselves, it is important for organisations to deal with these problems quickly and transparently,” Erich Kron, security awareness advocate at KnowBe4, said in an emailed comment.”
This kinds of abuses are a justification for teaching users not to use the same login credentials through different providers. In the event that the attackers are able to break the encryption, in the hope that they are reused there, they are likely to try the passwords on other websites, particularly banking sites and shopping sites, Kron added.