Personal Data and Credentials of 268 Million Users Exposed In Recent Wattpad Hack
July 23, 2020 • RBS
Each year the Cyber Risk Analytics research team at Risk Based Security captures and analyzes thousands of data breaches. Given the volume of events we see, it takes something special for the breach to grab our attention. The recent incident at Wattpad did exactly that, both for the size of the breach and what could be learned from the dataset.
What is Wattpad?
Wattpad, reportedly the 151st most visited website in the world, calls itself “the world’s most-loved social storytelling platform”, claiming to connect “a global community of 80 million readers and writers through the power of story.” The Toronto-based company is more than a self-publishing platform, working closely with publishing companies to identify emerging trends and as a conduit for promoting new material. Wattpad also ventures into production. According to the company’s website, Wattpad Studios “partners with the entertainment industry to co-produce Wattpad stories for TV, film, digital video, and print.” The list of partnerships is impressive, including well known companies like Sony Pictures Television, NBC, CBC and more.
On July 14, 2020, our research team discovered that a threat actor shared a compromised database allegedly originating from Wattpad. The leaked database included more than 270 million records with more than 268 million unique email address and password combinations.
Upon further investigation, our research team concluded that the database was originally breached in June 2020 and contains personally identifiable information (PII) in addition to the user account credentials. Although other publications have released details on the initial attempt to sell the data, as well as naming the threat actors responsible, a breakdown of affected credentials has not been released – until now.
Email Address Domain Breakdown
The breached SQL database contains one large user table, consisting of 270,784,079 email addresses. After removing the duplicates, 268,830,266 email addresses remained.
The user table also contained user IDs, names, IP addresses, locations, an empty data column designated for phone numbers, dates of birth, genders, Facebook and Twitter IDs, Tumblr URL, Tumblr email addresses, and Tumblr passwords.
Further analysis of the database shows that the email addresses contain the following domain breakdown:
- gmail.com: 161,579,758
- yahoo.com: 35,131,453
- hotmail.com: 31,278,097
- .mil: 2,713,612
- .edu: 973,164
- .gov: 139,506
While a high number of compromised gmail, yahoo, and hotmail domains were expected, the amount of military related email addresses were not. Nearly 3 million .mil accounts had been compromised in the Wattpad breach. Email addresses and records for Wattpad employees were also found in the database.
In addition, an analysis using various Fortune 500 companies shows that commercial email addresses are also included in the compromise:
- Microsoft.com: 1,722
- Accenture.com: 393
- AIG.com: 308
- Deloitte.com: 116
- Target.com: 101
- Adobe.com: 48
- Experian.com: 9
Increased Risk for Exposed Users
This recent hack will leave users and businesses exposed to a variety of cyberattacks. User credentials are often leveraged by threat actors in attempts to gain access to other valuable platforms such as bank accounts, personal email accounts, and corporate systems. Commercial email addresses can also be targets for spear-phishing or extortion.
It is uncommon for so many records to be unique given that the number of exposed records is extremely high. This is likely to raise its value to threat actors and hackers looking to take advantage of the leaked credentials.
ShinyHunters, a notorious threat actor (or group), has claimed responsibility for the hack, however they state that they are not responsible for the publicly released database. ShinyHunters claims that the version of the database they possess contains the user’s password “salts”, while the newly released database does not. Password salts are generated during the password encryption process, and can be crucial for decrypting an encrypted password.
However, numerous files have already appeared and circulated on dark web forums containing at least 8 million decrypted WattPad user passwords.
Previous Breaches and Current Investigations
Wattpad was also involved in a data breach in 2015, publicly stating that an unknown amount of account details and passwords were exposed. It does not appear that this current incident is related to their previous breach.
We have reached out to Wattpad regarding the compromised database but have not received a response.
According to BleepingComputer, a representative from Wattpad stated:
“We are aware of reports that some user data has been accessed without authorization. We are urgently working to investigate, contain, and remediate the issue with the assistance of external security consultants.Wattpad representative
From our investigation, to date, we can confirm that no financial information, stories, private messages, or phone numbers were accessed during this incident. Wattpad does not process financial information through our impacted servers, and active Wattpad users’ passwords are salted and cryptographically hashed.
We are committed to maintaining the trust that our users have placed in us to ensure the safety and security of the Wattpad community.”
Given the popularity of the site, the size of the database, the notoriety of the threat actor(s) involved, and the potential value of the data, media coverage of the event has been surprisingly quiet. Unlike the flood of headlines generated by other large events, this breach had garnered relatively little coverage.
In the meantime, Wattpad appears to be underplaying the seriousness of the event with statements like this one from their FAQ:
Is there any potential impact on users?
Given the type of information that we have about our users, we think it’s unlikely that this will meaningfully affect our users.
The Data Breach Landscape
According to Risk Based Security’s Q1 Data Breach Report, approximately 50% of the breaches reported in the first three months of the year resulted in the compromise of access credentials in the form passwords in combination with email addresses or usernames. Credentials theft remains very popular thanks to password reuse across multiple sites and services and is expected to remain in the top spot of the most compromised data type.
Stay tuned for the Mid-Year Data Breach Report for more insight into breach activity reported through the first six months of the year.