Weebly, a San Francisco-based company that has allowed more than 40 million people create websites with since 2007; will start sending notification letters to all of their customers on Thursday, informing them of a data breach that occurred eight months ago.
The breach, affecting 43,430,316 customers, happened February 2016, but the root cause remains unknown. The compromised database is just now coming to the public’s attention after an anonymous source sent it to LeakedSource.
Prior to being notified, Weebly was unaware of the breach, but moved quickly once informed. Each compromised record contains usernames, passwords, email addresses, and IP information.
“Weebly recently became aware that an unauthorized party obtained email addresses and/or usernames, IP addresses and encrypted (bcrypt hashed) passwords for a large number of customers. At this point we do not have evidence of any customer website being improperly accessed,” the company said in a statement sent to Salted Hash.
“We do not store any full credit card numbers on Weebly servers, and at this time we’re not aware that any credit card information that can be used for fraudulent charges was part of this incident. We are taking steps to notify our customers - and we are taking swift action to address the situation. Our security team, with support from outside security consultants, is working to protect our customers and to enhance our network protections. This includes initiating password resets, implementing new password requirements and a new dashboard that gives customers an overview of recent log-in history of their Weebly account to track account activity.”
Weebly said that more information and additional updates would be given to customers and partners directly.
LeakedSource posted details about the breach on their website, confirming that the company used uniquely salted bcrypt hashing to protect their passwords.
Such security measures, LeakedSource wrote, prevented the data breach from coming more of a problem than it already was, as those responsible for the breach couldn’t target customer websites.
“This mega breach affects not only tens of millions of users but tens of millions of websites and with Weebly being one of the most popular hosting platforms in the world, this breach could have been far more disastrous in the wrong hands had they not strongly hashed passwords,” the blog said.
In addition to disclosing the Weebly breach, LeakedSource also used the blog to rant about their recent suspension from Twitter, for reasons unknown, and to disclose the fact they’re currently working on data from FriendFinder Networks Inc. (See Salted Hash’s coverage on these latest developments.)
The post also says that 22 million records from a 2013 data breach at Foursquare, as well as 58 million records from the recent data breach at Modern Business Solutions.