An attack on the forums for the Boxee internet-TV service has yielded 158,000 customer passwords – and what appears to be email addresses and full messaging histories for the victims.
The large-scale data breach affects forum users, rather than revealing passwords for the service itself – but perhaps the most unique feature of the attack has been the company’s response: total silence.
Boxee’s main corporate page still contains an upbeat message about its recent deal with Samsung, and its social feeds contain no mention of the hack, according to SlashGear’s report.
The attackers posted an 800MB file of user data, and it was left to independent security researchers such as Scott McIntyre to highlight the story, with Tweets such as, “It is real, it happened last week and many of us in operational security have had a full copy of the data since then.”
Speaking to Ars Technica, the file appears to contain 172,000 email addreses, plus 158,128 cryptographically scrambled email addresses – as well as birth dates, IP addresses, message histories, and password changes.
Ars’ Dan Goodin points out that while the information may be scrambled, it’s still dangerous. Such ‘dumps’ are highly susceptible to cracking attacks – and the wealth of information in this leak could be highly valuable to ID thieves.
Expert Reviews says that users have not been notified by email that their information may be at risk.
Concerned users can visit a website built using the data dump to see if their details have leaked – https://haveibeenpwned.com/. Entering an email address or username will allow users to check if they are among the victims whose data has leaked.
Author Rob Waugh, We Live Security