Social media analytics platform Social Blade confirmed that they had suffered data breaches after their database was compromised and sold on a hacking forum.
Social Blade, an analytics platform, provides statistics graphs for YouTube and Instagram. Customers can see projected earnings and project estimates.
Customers can integrate Social Blade data into their platforms using the API provided by the company.
BleepingComputer reached out to Social Blade regarding the possibility of selling their data. The company responded by confirming that there had been a data breach. They began notifying customers about it.
A data breach notice sent to customers stated that “on December 14th, we were notified about a possible data breach in which an individual had obtained exports of our users database and attempted to sell it on hacker forums.”
We verified the authenticity of samples posted. This individual appears to have exploited a security flaw on our website in order to access our database.”
The data breach notice states that customers were hacked into the database of the company and were able to steal the following information.
- Email addresses
- Password hashes
- Client IDs
- Tokens to be used by API business users
- Auth tokens to connect accounts
- Diverse internal and non-personal data
This notice confirms that credit card data was not compromised by the security breach.
Social Blade claims that passwords are encrypted using the bcrypt algorithm, but the company recommends that users change their passwords. But, the platform won’t allow for a reset of all credentials.
Cycled authorization tokens have been issued to Business users as well as connected social media accounts. This prevents threat actors from using the same stolen databases.
BleepingComputer contacted Social Blade to inquire whether the stolen authorization tokens had been misused by threat actors. However, a response wasn’t immediately available.
Social Blade on sale at a hacker forum
BleepingComputer was first alerted to the breach by a threat actor who began selling company data Monday 12/12.
A threat actor posted in a Breached hacking forum that data had been stolen on September 20, 222. He was prepared to sell the data to no more than one or two persons.
Hacker claims the database was stolen contained 5.6 million records. He also shared sample data including email addresses and database structure.
BleepingComputer reached out to Social Blade in order to verify the authenticity of the samples.
According to the company, it now has closed the security hole that was exploited by the intruder to gain entry to its systems. It also performs extra checks to make sure all systems are properly protected to avoid similar attacks in the future.
The notice states that “we are too conscious of the fact that bad actors will continue trying to penetrate IT infrastructure throughout the world”, and assures us at Social Blade we will not be complacent about hardening security and defenses.”
Social Blade encourages its users to be vigilant about phishing attempts to impersonate the breached organization to steal credit card numbers and passwords.