Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Web Developer Hub SitePoint Discloses Data Breach

Web development resources provider SitePoint has notified users of a data breach that resulted in some of their information being stolen.

Based in Melbourne, Australia, and established more than two decades ago, SitePoint provides users with access to tutorials and books that can help them learn the basics of web development.

Web development resources provider SitePoint has notified users of a data breach that resulted in some of their information being stolen.

Based in Melbourne, Australia, and established more than two decades ago, SitePoint provides users with access to tutorials and books that can help them learn the basics of web development.

Last week, the company started informing users that some data was accessed by a third-party during a cyber-attack that was “recently confirmed.”

The culprit, SitePoint said, is a third-party tool that it uses to monitor its GitHub account, “which was compromised by malicious parties.”

While it did not provide further information on the compromised tool, SitePoint said that hackers abused it to access its systems and codebase. The Waydev GitHub application was previously abused in similar attacks.

In addition to removing the tool, the company rotated API keys and changed passwords.

“As a precautionary measure, while we continue to investigate, we have reset passwords on all accounts and increased our required length to 10 characters,” the company told users.

Information that was likely compromised during the incident includes names, usernames, hashed passwords, email addresses, and IP addresses. Although the passwords are stored hashed and salted, users are advised to change them, to ensure the security of their account.

“Your browser will remain logged in if you have used our service recently. However, you can still create a new password manually by clicking on the ‘Account > Profile & Settings’ option and entering your details in the ‘Change your password’ section,” SitePoint said.

Users who log into SitePoint with Google, Facebook, or similar social services won’t have to change their passwords.

The company also notes that it has no evidence that customers’ financial information was accessed during the data breach, as it does not store credit card data, but uses a third party service for credit card processing.

The company also said it is currently “performing a full assessment of the data breach,” as well as of its infrastructure and security posture.

SitePoint did not provide information on the number of affected users, but BleepingComputer suggests that over one million might have been affected, based on information that emerged in December 2020. The company was apparently warned of the incident at the time.

“This breach, and the fact that they were warned months earlier, serves as a lesson that organizations need to have a process in place to deal with reports of potential data leakage and must take them seriously. It is critical for organizations to deal with these issues quickly and transparently to allow those impacted to protect themselves,” Erich Kron, security awareness advocate at KnowBe4, said in an emailed comment.

“These types of breaches are a reason that individuals should be taught not to use the same login credentials across multiple services. In the event the attackers are able to crack the encryption, they are likely to try the credentials on other websites, especially banking sites and shopping sites, in the hope that they are reused there,” Kron added.

Related: Airbus CyberSecurity Subsidiary Stormshield Discloses Data Breach

Related: Embedded Software Developer Wind River Discloses Data Breach

Related: Clothing Brand Bonobos Notifies Users of Data Breach

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.

Register

Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.

Register

Expert Insights

Related Content

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Cybercrime

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...