Earlier this year, a cybercriminal exploited the vulnerabilities in the DailyQuiz server and stole personal details of 13 million users, which was then proposed for sale on the dark web and Telegram channels.
According to The Record, the database contained details of nearly 12.8 million users, including plaintext passwords, emails, and IP addresses for 8.3 million accounts. It had been sold since January 2021 for around USD 2000 in cryptocurrency but is now publicly accessible after landing in the hands of a security researcher.
The leaked data has also been provided to Have I Been Pwned, a website managed by Australian security researcher Troy Hunt. To check if the personal details of DailyQuiz users were exposed in the site’s security breach they can visit Have I Been Pwned website. When approached by the analyst of The Record to comment on the security breach, DailyQuiz refused to comment. However, the company may have some explaining to do, especially when it comes to storing users’ passwords in plaintext, a big security no-no.
Unfortunately, DailyQuiz is not the first company that committed the error of storing passwords in plaintext; others that made the same mistake also include the likes of Russian social media giant VK, Italian email provider Email.it, stock trading service Robinhood, Google’s G Suite platform, and even social media giant Instagram.
Security risks to DailyQuiz users
The most vulnerable users are those who reused their username, email, and password on other sites. They should change their passwords immediately and are also advised to check and update any type of financial information linked to these websites.
Security researchers have advised this because cybercriminal groups collect personal details of the victims and use the data to carry out credential stuffing attacks — where they check a person’s DailyQuiz username/email and password combination at other online services in an attempt to hijack other accounts.
Studies suggest that a majority of users, by some estimates as high as 85%, reuse the same login credentials for multiple services. As long as this practice continues, the credential stuffing will remain fruitful. Credential stuffing attacks are fueled by breaches like these, as it allows the attackers to use the plaintext passwords right away, without having to expend huge computational and financial resources to crack hashed passwords (the format in which most passwords are stored).