Now people agreed that the breach happened on June 20, 2020, and was conducted by Shiny Hunters, an infamous hacker group. Both the hacker and Wattpad didn't clarify when and how the breach took place.
Wattpad is a website in Toronto to host user-generated books and other written material. Since July 7th, some heard rumors about the private sale of a Wattpad database containing over 200 million records, which shocked the company and its users. But the company didn't clarify the breach immediately.
Until July 14, Wattpad initially outlined that it had been the target of an attack, but no financial information, private messages, or phone numbers were leaked.
However, the company admitted one week later, the real situation is much worse than early estimation. In fact, after July 14, the breached database was available to free download from particular websites.
Finally, Wattpad revealed an update on a support webpage, which listed the data types the malicious actors obtained:
general geographic location
responses to website surveys
list of paid stories
chapter title purchased by user
Google or Facebook token
2. Actions of Victims
Although Wattpad didn't find the breach on the first day, two weeks later it publicized the incident and potential risks on its website to inform all the victims.
Because the passwords are stored as bcrypt hashes, a high standard encryption algorithm, two weeks is relatively short to crack it. Considering that there are 270 million accounts breached, most of them should haven't been decrypted then. So if users quickly change passwords, their accounts would be safe.
Wattpad announced that it would enhance its password requirements for all accounts, and also urge users to change passwords out of an abundance of caution. Its actions are to ensure current users' accounts in good shape.
As for other extensive personal information including names and usernames, email and IP addresses, genders, birth dates, Wattpad didn't present any settlement yet. This information is free on the internet now, Wattpad actually can do nothing.
If Wattpad needs users' name, birthday, and gender for better services or features, the users have to take the risk of leakage for its non-professional security mechanism. However, the 270 million accounts conflicted with another number: 80 million, the real users at that moment.
It means Wattpad hadn't removed inactive or canceled users' data for its own business purpose. This caused 200 million account's personal information leaked in vain, who took the risk but get nothing. After the breach, even no way to warn them.
The breached data also include "list of paid stories" and "chapter title purchased by user", which are specific to the website. These data that Wattpad uses to target potential users, reveal a user's interests which may be private. Now they possibly are used for marketing, spamming, phishing, and impersonation.
3. Hacker and Dark Web
The hack was done by Shiny Hunters, a group known for selling company databases acquired in data breaches. In an anonymous tip, a hack news website was told that the Wattpad database was being sold. Then the breach was unveiled in more detail and confirmed quickly.
Shiny Hunters has likely made a large sum of money by selling this data online. After it got the Wattpad database, it initially listed the most valuable price: $100,000. But this price just kept one or two weeks, then it was published on a public hacking forum where it was broadly shared free.
Shiny Hunters explained why giving away the data. "I just thought: 'I've made enough money now' so I leaked for everyone's benefit. Obviously, some people are a little upset because they paid resellers a few days ago, but I don't care."
What does a hacker care about? This story shows how a hacker makes money and contribute to the curious or greedy internet. Shiny Hunters is a high-profile one, even Microsoft's GitHub account is in its breached list.