Six million accounts have been compromised following a breach on CashCrate, a website that pays users to complete surveys or test new products.
According to Motherboard, who received the database through Leakbase, email addresses, names, passwords, and physical addresses were all compromised.
Some of the accounts were created more than 10 years ago. Accounts registered post-2010 were hashed with the MD5 algorithm, which doesn't mean much in terms of security.
"Using MD5 hashes as a form of security, in this day and age, is akin to saying that you're not using any security whatsoever. No respectable security organization would employ this sort of hashing as it's primary method for securing credentials and other personally identifiable information, especially not as it's sole security method, such as what it seems CashCrate was doing according to the reports," said Nathan Wenzler, Chief Security Strategist at AsTech.
"This is an incredibly reckless and absolutely negligent way of implementing security controls and does not even represent a reasonable attempt at exercising due diligence for protecting their user's privacy and identities," he added.
Motherboard also found that the actual CashCrate site doesn't use basic web encryption, even on pages where credentials are inputted.
"We're in the process of notifying all our members about the breach. While we're still investigating the cause, at this point it appears that our third-party forum software was compromised, which led to the breach. We've deactivated it until we're confident it's secure," a CashCrate spokesperson told Motherboard.
"We have also confirmed that any users who have logged in since October 2013 have passwords that are fully hashed and salted, and we're looking into why some inactive accounts have plaintext passwords. Those will be hashed and salted immediately," the CashCrate representative added.
