Jump to content
Fi8sVrs

No razzle-dazzle here! Hackers target Zazzle with run-of-the-mill brute-force attack

Recommended Posts

  • Active Members

We’ve said it before: stop reusing passwords on different sites.

zazzle.jpeg

 

Online criminals have pulled off a tried-and-true password brute-force attack against online marketplace Zazzle.

On 25 August, the company notified the Office of the Attorney General in California about a security incident that might have undermined users' account security. As Zazzle explains in a breach notification letter:

Quote

We take security extremely seriously at Zazzle and wanted to let you know that in July 2017, our Security Team detected a brute force data security attack. During this data breach, some unauthorized login attempts to Zazzle accounts were made, including one using your Zazzle username (email address) and password.

 

Quote

Given the nature of the incident, Zazzle believes that your username (email address) and password may have been obtained by an unauthorized third party, through a breach of other website(s), who then tried to confirm your credentials on our site.

 

Those behind the attack attempted to authenticate users of the site without their authorization. They did this using password reuse attacks, or by stealing users' login credentials publicly disclosed in the Weebly, Dropbox, LinkedIn, and other "mega-breaches" of 2016 (among other security incidents) and trying them across various web services.

At this time, it's unclear just how many members the attack might have affected. Zazzle's CTO Bobby Beaver estimates the attackers might have gained access to "thousands of accounts," a general figure which he says represents only "a small percentage of accounts."

But even if an attacker did access their profile, Beaver wants to reassure users that they can recover from the hack using the site's password recovery mechanism.

As he told ZDNet:

Quote

"The reset procedure we referenced requires the user reconfirm their email address by sending a security token to that email address. As such, a malicious actor could not reset the password for the account -- unless they had access to the email account itself, which is not in our control."

Rather than take a chance with users' accounts, Zazzle has imposed a mandatory password reset for all members. Users should therefore choose a strong password to protect their account whenever they next visit the online marketplace. Whatever they choose should be one that they haven't used with any of their other accounts.

That's not to say that Zazzle is sitting on its hands in the meantime, however.

The company has implemented a CAPTCHA to prevent automated login attempts. It's also considering the activation of additional security measures.

Considering the fact that the company suffered two breaches in August 2016, Zazzle should look into extra measures - such as two-step verification (2SV) security feature.

If it follows that advice Zazzle's users will thank it in the long-run.

 

Via: https://www.grahamcluley.com/zazzle-brute-force-attack/

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...