Minted discloses data breach after 5M user records sold online
Minted, a US-based marketplace for independent artists, has disclosed a data breach after a hacker sold a database containing 5 million user records on a dark web marketplace.
Minted is an online marketplace that allows independent artists to submit their art, which is then voted on by the Minted community. The winning submissions are then sold as art, home décor, and stationery to consumers.
Earlier this month, BleepingComputer reported that a hacking group named Shiny Hunters was selling the user records for eleven companies on a dark web marketplace.
One of these databases allegedly contained 5 million users and mailing address records for Minted. This database was being sold for $2,500.
Based on samples of the database seen by BleepingComputer, the user records included a user’s email address and their blowfish hashed passwords.
The second database table contained mailing addresses and phone numbers of Minted users.
At the time of our reporting, BleepingComputer emailed Minted but never received a response.
Minted issues data breach notification
Now, almost three weeks later, Minted has started to notify users that they were affected by a data breach after their systems were hacked.
According to Minted’s data breach notification, the attackers gained access to the company’s user database on May 6th, 2020.
“The information involved includes customers’ names and login credentials to their Minted accounts, consisting of their email address and password. The passwords were hashed and salted and not in plain text. Telephone number, billing address, shipping address(es), and, for fewer than one percent of affected customers, date of birth, also may have been impacted,” Minted states in their data breach notification.AD
Minted states that they do not believe credit card information, customer address book information, or photos or personalized information that customers added to Minted designs were accessed during the breach.
What Minted customers should do
While the passwords leaked in this data breach were encrypted, threat actors can use programs to dehash the password.
After a user’s password is cracked, threat actors would be able to use them in credential stuffing attacks at other sites.
Therefore, if you are a Minted customer, you should immediately change your password to a strong and unique one.
If that same password was used at another site, you should change it at any other site that also uses it.
When changing your passwords, be sure to use a unique and strong password at every site so that a data breach does not affect your account at other companies.
A password manager can make it much easier to use unique passwords at every site and is highly recommended.