The breach notification site, Leaked Source (www.leakedsource.com), announced on October 20, 2016 that they notified the web design firm, Weebly (www.weebly.com), that 43,430,316 of Weebly’s user’s data had been hacked.
On October 21, 2016, The International Business Times reported that a Weebly spokesperson responded by saying, “At this point we do not have evidence of any customer website being improperly accessed.”
According to Leaked Source, the hack was reported to them by an anonymous tip. Although the hack wasn’t discovered until October 2016, the hack of Weebly’s main database reportedly occurred in February 2016. This means that all Weebly users who signed up for the service prior to March 2016 are potentially impacted by the data breach. Leaked Source believes that the hack potentially puts tens of millions of websites at risk of being hacked. At present, the identity of the hacker(s) isn’t known.
What Was Stolen:
Leaked Source’s October 20, 2016, blog post on the Weebly hack states that user’s username, email address, password, and IP address were stolen from Weebly. While the data breach is a major concern, Weebly confirmed that they “do not store any full credit card numbers on Weebly servers, and at this time we’re not aware that any credit card information that can be used for fraudulent charges was part of this incident.” Consequently, no Weebly user’s financial information should be at risk.
Weebly users should also breathe a sigh of relief knowing that hackers will have a great deal of difficulty decrypting passwords because Weebly stored passwords with Bcrypt hashing with a cost factor of 8. Bcrypt hashing is an encryption method commonly used to protect passwords by scrambling them. Bcrypt hashing is very difficult to decipher.
Weebly users with weak passwords are at the greatest risk from “brute force” hack attempts.
What Is Weebly Doing and What Should Users DO:
Weebly is taking steps to add additional protections to their services and software and there are some steps users can take to protect themselves as well.
Weebly is in the process of notifying customers of the breach. Weebly has also improved their password protections by making them even more difficult to unscramble if obtained by hackers. The company is also working on improving their password policies.
Weebly users should go to their Weebly accounts and change/reset their passwords. Even with encryption, the likelihood of a password being hacked greatly depends on the strength of that password. So, in addition to the website security measures taken by Weebly, users can better protect themselves by coming up with strong and difficult to hack passwords. Users can develop strong passwords by:
- Don’t reuse passwords and use a unique password for every website you log into. This will protect your data on other websites if by chance your login information is stolen from one site.
- Use a mix of letters, numbers, and symbols in your password.
- The longer your password is, the harder it is to crack. Many security experts recommend a password of a minimum of 12-14 characters.
- Never use personal information such as your birthday, your kids birthdays, etc. in your passwords. This type of information is too accessible to hackers and is often the first type of information they use to try and hack passwords. Also, avoid using common words as passwords because they can also easily be hacked.
- Keep your passwords secure. This means that you shouldn’t share them – even with people you trust.
In addition, if many website design firms permit website owners to have two layers of security. In this situation, users enter their main username and password on the login screen, and then they are asked to enter a second and different confirming username and password before they can access their site information. If you can implement this precaution on your website, you should. Dual layers of security make your websites very difficult to hack.
These password tips will not only help protect your Weebly account, but they are good tips to protect all of your online data.