Trakt.tv data breach from 2014

[chazragg]

Received an email from trakt.tv about a data breach they have only just discovered that happened in 2014. 

 

 

Straight from the email
 

Quote

We are contacting you today because we have learned of a data breach that occurred back in December 2014. The breach involved some of your personal information such as username, email and encrypted password. Although this happened in 2014, we only recently discovered this, and wanted to promptly provide notice as part of our commitment to your privacy.

THE GOOD NEWS

To any VIPs, no payment information was included in the breach. All payment data is securely held by payment processors and never within our own servers.

Next, in January 2015, we moved from version 1 of our site to version 2. In doing so, we removed any access outsiders had to your information and accomplished three key things to strengthen our security:

1. We moved to a more secure algorithm for storing passwords
2. Our platform change removed the exploit
3. The new infrastructure has far tighter restrictions

WHAT HAPPENED

Our investigation is ongoing, but we believe a PHP exploit was used to capture data from Trakt users.

WHAT INFORMATION WAS INVOLVED

We have found that the information lost included email, username, encrypted passwords, name and location.

WHAT WE ARE DOING

We have reset passwords for affected users. Although we believe that our 2015 move to version 2 of our site stopped any ongoing access to user information, we are diligently monitoring our site.

WHAT YOU CAN DO

For all affected users, we have reset your passwords and you will receive an email with a reset link. In addition to that, if you are the type of user to re-use passwords on different sites, we recommend changing your password on all other sites as well. Remember, this is a password from Dec. 2014, so if you have since changed your password, you are already protected.

As an additional resource, check out what Gizmodo suggests to safeguard yourself. Gizmodo: How to stop worrying about every 'Mega' password breach that comes along

FOR MORE INFORMATION

Please see FTC Data Breach Resources

We know you trust us with your data and we failed to protect it. We're incredibly sorry that this happened and hope that you'll let us earn your trust back.

- The Trakt Team

 

[Fnige]

Ouch... whats trakttv?

[chazragg]

1 minute ago, SlimyPython said:

Ouch... whats trakttv?

websites that you can link music streaming services to which will track what tv series/movies you have matches down to the episode and also recommend others based on your watching habits.

i use it for my Plex server which is nice if i ever need to reinstall plex at any point i don't lose my progression 

[Ryujin2003]

3 hours ago, chazragg said:

websites that you can link music streaming services to which will track what tv series/movies you have matches down to the episode and also recommend others based on your watching habits.

i use it for my Plex server which is nice if i ever need to reinstall plex at any point i don't lose my progression 

That sounds like a lot of data gathering...

[paddy-stone]

Wow, am glad I always use different passwords and/or email addresses, could have seriously compromised a lot of people there.

[S w a t s o n]

 How did they not figure this out for 5 years?

[Taja]

44 minutes ago, Ryujin2003 said:

That sounds like a lot of data gathering...

Well, I use my traktv without any linked accounts, just to mark watched Episodes and follow the series schedules and such. Really useful.

[sazrocks]

Quote

encrypted passwords

WHY!? Why are companies STILL not properly hashing and salting passwords!?

 

I hope they can be sued by affected customers for negligence.

[HarryNyquist]

3 hours ago, sazrocks said:

WHY!? Why are companies STILL not properly hashing and salting passwords!?

"But it's encrypted! No one can possibly get at the plain text!"

-- "Security Analyst" with an Associate's degree in Game Programming

[trakt_sean]

Hey guys,

 

This was actually my bad in terminology.  I wanted to use something that the average person understood, but forgot to think of the implications of encrypted meaning that it's a two way process.

 

The passwords were SHA1 hashed.  And this was back in 2014, we have moved on to a different and more secure hashing strategy.

 

- Sean

[Syntaxvgm]

4 hours ago, sazrocks said:

WHY!? Why are companies STILL not properly hashing and salting passwords!?

 

I hope they can be sued by affected customers for negligence.

a little bit of pepper never hurt either. 

[underyx]

6 hours ago, S w a t s o n said:

 How did they not figure this out for 5 years?

Well, that's pretty straightforward. Barring advanced packet inspection or audit log monitoring techniques, which you'll not find at nearly any (non-super-regulated) company under 100 employees, the only way to learn about a breach like this is if someone notices the breached data circulating.

 

Even then, the source is often not named, so the you need to figure that out as well. One way might be to derive it from the texture of the data, such as comparing the list of emails in a random unnamed dump to the ones in your own app's database. Another way would be correlating some other values that are possibly part of the dump, such as "account creation date", to values you know (your own account's creation date.)

[S w a t s o n]

42 minutes ago, underyx said:

Well, that's pretty straightforward. Barring advanced packet inspection or audit log monitoring techniques, which you'll not find at nearly any (non-super-regulated) company under 100 employees, the only way to learn about a breach like this is if someone notices the breached data circulating.

 

Even then, the source is often not named, so the you need to figure that out as well. One way might be to derive it from the texture of the data, such as comparing the list of emails in a random unnamed dump to the ones in your own app's database. Another way would be correlating some other values that are possibly part of the dump, such as "account creation date", to values you know (your own account's creation date.)

Lmao dude are you from trakt.tv doing some damage control? Every other company manages to figure these things out and yes sometimes it's a year or maybe two later but 5 years? gg no re

[trakt_sean]

He is not.  I am.  We found out because spycloud.com (similar to haveibeenpwned.com) found our data on the dark web.  One of our users signed up for an account and let us know.  This just happened in January.

[underyx]

2 hours ago, S w a t s o n said:

Lmao dude are you from trakt.tv doing some damage control? Every other company manages to figure these things out and yes sometimes it's a year or maybe two later but 5 years? gg no re

No, I'm the guy who found out about the leak and told trakt as Sean mentions above. That's why I have some idea of how it all worked

 

Then I got curious what the reception was like online and saw that it might be useful to provide some context here.