
Weebly hacked, 43M credentials stolen - ttam
https://techcrunch.com/2016/10/20/weebly-hacked-43-million-credentials-stolen/
======
drusenko
Obviously, this is a very disappointing situation for us -- we've always taken
security very seriously since day 1, it's something that's been core to who we
are from the beginning.

That said, how you respond in this situation can be just as important, and so
we are making sure to be incredibly proactive in addressing the situation &
transparent in how we communicate the details with our customers. Our top and
immediate concern has been our users and the safety of their accounts.

A few days ago we became aware that an unauthorized party obtained email
addresses/usernames, last login IP addresses and bcrypt hashed passwords for a
large number of customers (anyone who signed up prior to March 1 of this
year).

At this point we do not have evidence of any customer website/account being
improperly accessed. It's also worth noting that we do not store any full
credit card numbers on Weebly servers, so any credit card information was not
part of this incident.

We immediately starting working on taking steps to notify our customers, and
were able to get this out in a matter of a few days. We're initiating password
resets as of this morning, and we've also made several improvements to the
application including new password complexity requirements and a new dashboard
that gives customers an overview of recent log-in history of their Weebly
account to track account activity. We also increased our bcrypt work factor
from 8 to 10, and all passwords will be automatically upgraded as of the next
time a user logs in.

We've hired an incident response firm who is working with our internal team to
complete a full investigation. In the meantime, we're examining our stack top
to bottom and taking many steps to enhance our network and application
security. This is an area we take very seriously and we'll be putting in
tremendous effort to ensure this doesn't happen again.

~~~
markdown
Can't blame you for being hacked, but how can security be "core to who we are"
if it took 6 months to discover a breach?

~~~
tptacek
You're describing basically every breach ever.

~~~
jacquesm
You wish. I'd wager the majority _never_ gets discovered.

~~~
tptacek
Touche.

------
papayawhip
Responsible disclosure and proper handling of passwords as well as not storing
credit cards. Barring no breach at all, this is about as well as something
like this can go.

~~~
matt_wulfeck
Bonus points for mentioning the hashing algo and for not confusing "hashed"
with "encrypted".

~~~
teej
That incident response firm seems to be worth it.

~~~
tptacek
Weebly is one of the more clueful startups. They didn't get this from the IR
team. They've been doing stuff right for a long time.

~~~
teej
I don't doubt that they're clueful. That's why I'm confident that they hired
an excellent incident response team and wisely chose to have them review and
edit any external communication. Anything less would be irresponsible.

------
drinchev
Every time when this happens I ask myself only one question.

What about all those hacked servers that we don't know that are hacked yet?

There are ( and I'm pretty sure ) lots of hackers that do this on a daily
basis, but don't try to do anything malicious on a large scale ( like dumping
the whole db of customers, DDoS, etc. ). They probably target medium-large or
small companies' servers, put a backdoor there and analyze. Either stealing
some business secrets or leave it like that for one of the dark days when some
political-corporate person will need their help.

Having the whole human knowledge on the palm of my hand made also our own
lives public-knowledge.

~~~
erjjones
Exactly!

Also in this instance, Weebly, they get an anonymous "hey look, I have all of
your data".

So Weebly issues a statement to their customers to reset their passwords
(which the hackers knew would be a byproduct) and unbeknownst to them the
hackers are now skimming the new passwords off the network.

------
mattjaynes
More details and background:
[https://www.leakedsource.com/blog/weebly/](https://www.leakedsource.com/blog/weebly/)

------
ksec
I really like Google's Recent Log in Activity and Location. So anyone logging
into your account from a Different location, you are automatically notified.
But one of the problem with this is that once hacked, it exposed your location
as well.

2nd thing is 2FA. I hope 2FA becomes the standard for all login. Even SMS. ( I
know SMS is not save in US, but I am not sure if similar can be said in EU or
Japan )

------
stevesun21
I wonder if the hacker really interested in decoding credential or they just
want to collect the email addresses which is really valuable for email
marketing.

~~~
jazoom
You mean "email spamming"? I'd be hesitant to call that "marketing".

~~~
davidsong
Spam is as much a form of marketing as assault is a form of touching.

------
lrvick
I have talked to a number of current and former Weebly employees trying to
convince them to use things like hardware token based 2FA, hardened servers,
hardened workstations, and strong end to end encrypted password management
that can't be trivially decrypted from a private key stolen from memory. I had
such things written off as being too paranoid when they are too easy -not- to
set up.

I was not at all shocked by this headline.

I don't want to just single out Weebly here as I discuss these sorts of things
with people at different companies all over the bay out of personal interest
and anything harder than using something like lastpass to reach production
systems is considered too much work. Honestly Google and Facebook are the only
large companies I have seen deploy fairly decent security practices out of the
dozens I have exposure to. I credit this to the fact the employ teams people
who have the specific job of continually auditing and enforcing all available
security tools on their systems and fostering a culture that security is
everyone's job.

You will pay for security either way. Either up front paying teams of capable
people, or in lost customer trust after the fact.

Security apathy in the valley is a cancer impacting companies of all sizes.
Sure you can't make anything perfectly secure, but you can at least force your
attacker to burn a 0day. Don't make it as easy as spoofing an email and
getting an employee to click a malicious link.

If you have any sort if privileged access to PII data of your customers and
are not even doing basics like using hardware tokens to gate your server and
db access you are one keykogger or XSS away from a serious breach. If you know
how to set such things up and still don't do it, you are additionally a
terrible person.

At the very least the data required to readily plaintext the passwords is not
public in this case which is a lot better off than companies using only simple
hashing like md5. Some credit is due here for sure, but I can't help but
strongly suspect the issues here and in now countless other orgs are a result
of people having access to PII that don't really care about security or
respect the privacy of the user data they are responsible for.

~~~
scurvy
How do you know if any employee passwords were stolen? How do you know it
wasn't just a basic application exploit?

How do you know Weebly doesn't do the things you mentioned?

Fact is, you don't and that post was just an ad for your "services" in the
form of a thinly veiled critique.

~~~
lrvick
I have no idea if that was what caused this particular incident, but there was
a lot of exposed surface on the table in that area making an attackers job
that much easier via those vectors. Employee workstation or credential
compromise is one of the most common ways internal assets are stolen. When
easy to implement measures are not taken like using hardware tokens to gate
access... then I am left to suspect if any of the harder things were done.

As for making an ad for my "services". My company does not provide security
services and I am not looking for a job in this space. Pretty happy where I
am. I gain nothing from posting this but to promote discussion I feel is
important for our industry.

I do however participate in a not-for-profit community I have funded mostly
out of pocket for the last 15 years for helping teach better system admin and
security practices. If you can even find it, and want to call this an ad for
that ... uh, sure.

------
mirekrusin
But on the website it says they have 30m users only?

~~~
grzm
I see "Join over 40 million people worldwide" [0]

[0] [https://www.weebly.com](https://www.weebly.com)

------
allerhellsten
Credentials aren't stolen for sure. I can still log in.

------
guessmyname
And here I am, trying to apply for a Senior position there [1].

[1]
[https://news.ycombinator.com/item?id=12752642](https://news.ycombinator.com/item?id=12752642)

~~~
cyberferret
Well, the breach was back in February this year, so I hope they have put
better security in place since then. I've seen ads for Weebly all over the
place, but never realised they had that many users. Good luck with your
application... :)

~~~
ryanburk
accounts doesn't mean the same thing as current or active users. a company
very likely doesn't delete accounts right away or at all, even if the service
has been cancelled. for example, a few years ago microsoft's live ID system
had well over a billion accounts. but MAU was only around 450M. and that is
with culling / deleting accounts after a year if they were unused.

~~~
joncalhoun
While I agree the two are different, I also think in weeks case accounts could
translate into multiple users. I know for a fact that my wife and her sister
both share a weebly account for their business and I believe they have to
share a login to do this.

