Web development resources provider SitePoint has notified users of a data breach that resulted in some of their information being stolen.
Based in Melbourne, Australia, and established more than two decades ago, SitePoint provides users with access to tutorials and books that can help them learn the basics of web development.
Last week, the company started informing users that some data was accessed by a third-party during a cyber-attack that was “recently confirmed.”
The culprit, SitePoint said, is a third-party tool that it uses to monitor its GitHub account, “which was compromised by malicious parties.”
While it did not provide further information on the compromised tool, SitePoint said that hackers abused it to access its systems and codebase. The Waydev GitHub application was previously abused in similar attacks.
In addition to removing the tool, the company rotated API keys and changed passwords.
“As a precautionary measure, while we continue to investigate, we have reset passwords on all accounts and increased our required length to 10 characters,” the company told users.
Information that was likely compromised during the incident includes names, usernames, hashed passwords, email addresses, and IP addresses. Although the passwords are stored hashed and salted, users are advised to change them, to ensure the security of their account.
“Your browser will remain logged in if you have used our service recently. However, you can still create a new password manually by clicking on the ‘Account > Profile & Settings’ option and entering your details in the ‘Change your password’ section,” SitePoint said.
Users who log into SitePoint with Google, Facebook, or similar social services won’t have to change their passwords.
The company also notes that it has no evidence that customers’ financial information was accessed during the data breach, as it does not store credit card data, but uses a third party service for credit card processing.
The company also said it is currently “performing a full assessment of the data breach,” as well as of its infrastructure and security posture.
SitePoint did not provide information on the number of affected users, but BleepingComputer suggests that over one million might have been affected, based on information that emerged in December 2020. The company was apparently warned of the incident at the time.
“This breach, and the fact that they were warned months earlier, serves as a lesson that organizations need to have a process in place to deal with reports of potential data leakage and must take them seriously. It is critical for organizations to deal with these issues quickly and transparently to allow those impacted to protect themselves,” Erich Kron, security awareness advocate at KnowBe4, said in an emailed comment.
“These types of breaches are a reason that individuals should be taught not to use the same login credentials across multiple services. In the event the attackers are able to crack the encryption, they are likely to try the credentials on other websites, especially banking sites and shopping sites, in the hope that they are reused there,” Kron added.
Related: Airbus CyberSecurity Subsidiary Stormshield Discloses Data Breach
Related: Embedded Software Developer Wind River Discloses Data Breach
Related: Clothing Brand Bonobos Notifies Users of Data Breach