Wattpad data breach exposes account info for millions of users

Wattpad data breach exposes account info for millions of users

An allegedly stolen Wattpad database containing 270 million records were being sold in private sales for over $100,000. Now it is being offered for free on hacker forums.

Watthpad is a web site that allows members to publish user-generated stories on a variety of different topics. The site is immensely popular and is ranked as the the 150th most visited site worldwide.

Since July 7th, BleepingComputer has been tracking the rumored private sale of a Wattpad database containing over 200 million records.

In an anonymous tip, BleepingComputer was told that this database was being sold by Shiny Hunters, a group known for selling company databases acquired in data breaches.

At the time, Cyber intelligence firm Cyble told BleepingComputer that this database was being sold for ten bitcoins, or almost $100,000 at the time.

BleepingComputer contacted Shiny Hunters about this breach, and at first, they were concerned about how we knew about the sale, and then later denied having anything to do with it.

A few sample records of this database seen by BleepingComputer contain user names, names, hashed passwords, email addresses, and general geographic location.

BleepingComputer contacted the users in this sample, and one user confirmed with BleepingComputer that the listed information was accurate.

BleepingComputer was told by Kiel Hume, Director of PR & Communications at Wattpad, that they are working with external security consultants to investigate the potential breach.

“We continue to investigate the information you’ve shared and its potential origins. At this time we’ve enlisted external security consultants to aid our investigation. We take the security of our users and their data extremely seriously, and our teams will be working around the clock to uncover any new information.”

Update 7/14/20 4:08 PM EST: Hume sent BleepingComputer an updated statement saying that Wattpad is working to contain and remediate the breach, but that no financial information, phone numbers, stories, or private messages were accessed during the incident.

We are aware of reports that some user data has been accessed without authorization. We are urgently working to investigate, contain, and remediate the issue with the assistance of external security consultants.

From our investigation, to date, we can confirm that no financial information, stories, private messages, or phone numbers were accessed during this incident. Wattpad does not process financial information through our impacted servers, and active Wattpad users’ passwords are salted and cryptographically hashed. 

We are committed to maintaining the trust that our users have placed in us to ensure the safety and security of the Wattpad community.

Also read: How to Register Data Protection Officer (DPO) in ACRA Bizfile+

Wattpad database now free on a hacker forum

While the database was previously being sold for the high price of $100,000, the database is now being offered for free and claims to contain 271 million users.

Today, a new user was registered on a hacker forum using the name and photo of ZDNet reporter Catalin Cimpanu and began offering this alleged database for free.

Cimpanu, who is a former reporter at BleepingComputer, is likely being impersonated due to his recent article about the hack of Vinny Troia’s NightLion security firm, who claims to be revealing the identity of Shiny Hunters and other data breach sellers this week.

The user offering this database claims that 145 million passwords are hashed with bcrypt, and the other 44 million are hashed with SHA256.

This mixture of hashing methods was used in the samples seen by BleepingComputer.

The number of users reported to be in this stolen database conflicts with the reported 80 million total users on Wattpad in 2019.

BleepingComputer has not independently verified this database’s authenticity other than the limited samples shared with us last week.

We have once again reached out to Wattpad for further comment.

This is a developing story.

Also read: 5 ways on how to destroy documents securely to prevent data breach