Video creation service Promo.com this week confirmed that user data was exposed as a result of a data breach identified last week.
Founded in 2012, Israel-based Promo was initially a slideshow company named Slidely. In 2016, it launched the Promo video creation platform for businesses and in 2019 it rebranded from Slidely to Promo.com.
The newly disclosed security incident, which was discovered on July 21, 2020, was the result of “a data security vulnerability on a 3rd party service,” the company reveals.
Both Slidely and Promo user data was impacted in the incident, but no financial information was leaked, Promo says.
“We immediately stopped all suspicious activity and launched an internal investigation to further learn about what happened,” the company announced.
Although no financial data, such as credit card and billing information, was affected in the breach, lots of other user information was exposed, including first and last names, gender, email and IP addresses, approximated user location, and encrypted, hashed and salted passwords for the Promo and Slidely accounts.
Promo also notes that, although the account passwords were stored hashed and salted, the attackers might attempt to decode them.
The company says it has completely removed the vulnerable third-party service and hired a cyber-security firm to reinforce protections.
“Out of a precautionary measure we have notified all Promo.com customers who might have been affected and have recommended that they reset their passwords,” the company says.
Promo urges users to change their Promo or Slidely passwords when next logging into their accounts. They should also reset the password for any other account where the same passphrase was used.
The company did not share information on how many users were impacted in the incident, but risk management provider CloudSEK revealed that the information of 22.1 million Promo users was offered for sale last week.
The data allegedly included 2.6 million records with passwords and the seller said they were able to crack 1.4 million of them, CloudSEK said in a report shared with SecurityWeek.
Related: Digital Banking Service Dave Says Data Stolen in Third-Party Breach
Related: EDP Renewables North America Discloses Data Breach
Related: LiveAuctioneers Data Breach Impacts 3.4 Million Users