Wattpad Breach 2020 by Shiny Hunters

Breach and Leak Report: In 2020 Wattpad suffered a massive data breach that exposed almost 270 million records, including names, email, IP addresses, genders, birthdays, and passwords in hashes.

 Learn how to check breach in 5 minutes
 Tips about Data Breach
 By Jackson WhiteBack to Breach List  
Wattpad Breach 2020 by Shiny Hunters
1. Bad News Come from Dark Web
Equifax Data BreachOne of the most significant breaches in 2020 was at Wattpad. The website suffered a huge data breach that exposed almost 270 million records, including names, email, IP addresses, genders, birthdays, and passwords stored as hashes. The company didn't recognize the incident until its data was sold and shared on the dark network seemed not to own a strong security team or policy.

People agreed that the breach happened on June 20, 2020, and was conducted by Shiny Hunters, an infamous hacker group. Both the hacker nor Wattpad didn't clarify when and how the breach took place.

Wattpad is a website in Toronto to host user-generated books and other written material. Since July 7, some heard rumors about the private sale of a Wattpad database containing over 200 million records, which shocked the company and its users. But the company didn't clarify the breach immediately.

Until July 14, Wattpad initially outlined that it had been the target of an attack, but no financial information, private messages, or phone numbers were leaked.

However, the company admitted one week later the actual situation was much worse than early estimated. In fact, after July 14, the breached database was available to free download from particular websites.

Finally, Wattpad revealed an update on a support webpage, which listed the data types the malicious actors obtained:
  • email address
  • birthday
  • gender
  • IP address
  • display name
  • account name
  • general geographic location
  • responses to website surveys
  • list of paid stories
  • chapter title purchased by a user
  • Google or Facebook token
2. Actions of Victims
Although Wattpad didn't find the breach on the first day, two weeks later, it publicized the incident and potential risks on its website to inform all the victims.

Because the passwords are stored as bcrypt hashes, a high standard encryption algorithm, two weeks is relatively short of cracking it. Considering that there are 270 million accounts breached, most of them should haven't been decrypted then. So if users quickly change passwords, their accounts would be safe.

Wattpad announced that it would enhance its password requirements for all accounts and urge users to change passwords out of an abundance of caution. Its actions are to ensure current users' accounts are in good shape.

As for other extensive personal information, including names and usernames, email and IP addresses, genders, birth dates, Wattpad didn't present any settlement yet. This information is accessible on the internet now; Wattpad actually can do nothing.

If Wattpad needs users' names, birthdays, and gender for better services or features, the users have to risk leakage for its non-professional security mechanism. However, the 270 million accounts conflicted with another number: 80 million, the actual users at that moment.

It means Wattpad hadn't removed inactive or canceled users' data for its business purpose. It caused 200 million accounts' personal information to be leaked in vain, who took the risk but got nothing. After the breach, even no way to warn them.

The data that Wattpad uses to target potential users reveals a user's interests which may be private. They are possibly used for marketing, spamming, phishing, and impersonation. The breached data also includes a "list of paid stories" and "chapter title purchased by users," specific to the website.

3. Hacker and Dark Web
Equifax Data BreachThe hack was done by Shiny Hunters, a group known for selling company databases acquired in data breaches. An anonymous tip told a hack news website that the Wattpad database was being sold. Then the breach was unveiled in more detail and confirmed quickly.

Shiny Hunters have likely made a large sum of money by selling this data online. After getting the Wattpad database, it initially listed the most valuable price: $100,000. But this price just kept one or two weeks; then, it was published on a public hacking forum where it was broadly shared free.

Shiny Hunters explained why giving away the data. "I just thought: 'I've made enough money now,' so I leaked for everyone's benefit. Some people are a little upset because they paid resellers a few days ago, but I don't care."

What does a hacker care about? This story shows how a hacker makes money and contributes to the curious or greedy internet. Shiny Hunters is a high-profile one; even Microsoft's GitHub account is on its breached list.