It’s 2015, and too many entities still don’t seem to know to do Google searches or Pastebin searches on themselves to find out if they’ve been hacked or their data dumped somewhere. There’s no way this blog can report on them all or even alert them all, but one of today’s examples is WAYEB, the European Association of Mayanists.
I know, I know: who’d want to hack a non-profit group of folks interested in the Mayan culture, right? But being an academically oriented organization does not immunize you from those who run around testing for SQL injection vulnerabilities.
On April 5, a hacker who tweets as “Jabb” (@Versifyings on Twitter) dumped hundreds of records of WAYEB members on Pastebin. The records, from what appears to be a backup database, included 237 members’ e-mail addresses, clear text passwords, and phone number(s). An additional 240 records included e-mail addresses, usernames, and once again, clear text passwords.
No financial information was dumped.
This was not the first time wayeb.org was hacked and data dumped, as DataBreaches.net pointed out to WAYEB in a notification alert last night.
WAYEB did not acknowledge or respond to the e-mail notification, but I see that all of the pastes that had been specifically mentioned in the e-mail notification have been removed overnight, so they likely did receive the alert. Whether they intend to notify all those whose email addresses, usernames, and clear-text passwords were exposed is unknown to DataBreaches.net, but it would be prudent to do so as people continue to re-use passwords across sites, despite repeated warnings to the contrary. DataBreaches.net does not know whether WAYEB also intends to report the breach to any EU data protection authorities.
In the meantime, when was the last time you checked to see if your organization’s information or records had been dumped on Pastebin or if they show up in a Google search for your domain? Even if you don’t collect or store financial data, think of what’s involved in notifying everyone whose personal information has been publicly dumped. And think of what data protection regulators might put you through.
Isn’t it worth checking regularly?
Update: Chris Walshman reminds me that haveibeenpwned.com is also a great site to check.
One means folks can use to assist this process a bit comes courtesy of Troy Hunt (@troyhunt), who created https://haveibeenpwned.com/
You can see if your individual credentials have been exposed, and with appropriate verification can also see if any creds from your domain have. It’s well thought out (IMO), and maintained diligently.