Weebly hacked. Usernames and bcrypt passwords stolen. EV Certificate helps protect users.
43,430,316 Weebly users will be opening their emails today with a notice that their account details may have been compromised. The compromise is thought to have happened in February 2016. Any user accounts created before 1 March 2016 are potentially compromised.
The data said to have been taken includes username, email address, bcrypt password and recent IP login.
The good news is that the passwords taken were bcrypt encrypted with a work factor of 8. This means they are potentially uncrackable for a good few years with current computing power.
In a statement from Weebly they confirmed the following:
At this point we do not have evidence of any customer website being improperly accessed,” said a spokesperson. “We do not store any full credit card numbers on Weebly servers, and at this time we’re not aware that any credit card information that can be used for fraudulent charges was part of this incident.
More good news. The fact is companies get compromised. In todays world it is all about how to protect that data long enough for it not to matter.
The real danger is right now in the rush to perform password resets. This is a phishing dream. Potentially millions of non-tech users receiving password reset emails already scared about the compromise and just clicking anything to be safe again.
EV Certificate enhances Weebly users Security
Thankfully Weebly are protecting users by implementing an EV Certificate on the login and password reset pages. An EV Certificate (Extended Validation) provides authentication of the website owner and not just HTTPS encryption.
If you are a customer make sure that both your login page and password reset page includes Weebly Inc in the green address bar.
Be safe and be careful what you click on.