Care2, a social network that promotes animal welfare, women’s rights, healthy living and a variety of other causes, has reset the account credentials of millions of its users following a data security breach of its systems over the holidays.
This was the first hacking attempt that successfully breached our protective walls.
Randy Paynter, Care2 founder and CEO
The company said it does not collect credit card, financial or Social Security information of its members, but hackers breached its systems apparently targeting account credentials. The company, which started in 1998, has more than 50 employees, 15 million members and 400 non-profit partners.
In a blog post to members, Care2 founder and CEO Randy Paynter said the company’s growth has made it the target of hackers in recent years. He said the company’s incident response team determined hackers gained access to a limited number of Care2 email addresses and passwords. The vulnerability exploited by the attackers was fixed, blocking access to account logins, he said.
“This was the first hacking attempt that successfully breached our protective walls,” Paynter wrote. “We take the security of our members very seriously and are taking this extreme step of changing all passwords to reduce the chances of any possible negative consequences.”
Paynter said the FBI was notified of the breach. The IP address used in the attack was from Russia, but investigators have been unable to determine if the attackers are from that country.
“Hackers are most likely looking for login information they can exploit on financial websites,” Paynter wrote. “Individuals often use the same login information on multiple sites, so if a hacker can get your login credentials on one site, they can then try using those same details to login to a financial site.”
Members of Care2 were automatically emailed a new password when they attempted to login to their locked out account. In an update posted Tuesday, Paynter said the company was working on a backlog of help requests, indicating the account reset hasn’t been smooth.
Chester Wisniewski, a senior security advisor at Sophos Canada, said the security vendor was informed that Care2 may not have been storing passwords securely.
“Rather than storing passwords as a salted cryptographic hash that would not reveal their customers passwords if stolen (or make it much more difficult), they are storing them either in plaintext or in a reversible format,” Wisniewski wrote in the Sophos Naked Security blog.
Wisniewski said the Care2 breach is a reminder that people should reassess where they share their personal information and use unique passwords at every site that requires a login. Security experts say account credentials have been rising in value on the black market. Cybercriminals use stolen passwords to access bank accounts and tap into corporate networks, evading most traditional security technologies.