SQL injection attack: i-dressup.com data breach


What happened?

On September 26, 2016, Ars reported that a California-based social hangout website targeting young girls and teenagers, i-dressup.com, had been breached, and 2.2 million account credentials had been downloaded and exposed.

The breach had happened in June 2016, and yet was acknowledged by i-dressup.com only on October 1 [2], during which time the website was still open to being further breached.

At that point the website shut down all accounts, sent email notices to their users, and filed a police report with the Police Department of the City of Mountain View, California.

The hacker said he acquired the e-mail addresses and passwords by using a SQL injection attack that exploited vulnerabilities in the i-Dressup website.

It took him about three weeks to obtain the cache and he, at that time claimed, that there’s “nothing stopping him or others from downloading the entire database of slightly more than 5.5 million entries.” [1]

He contacted Ars and Have I Been Pwned? [3] and did a data dump of the breached 2.2 million personal details: Name, Age, Email-Id, Passwords in plain text, of the members, who were young girls – both under 13, and teenagers.

What went wrong?

1. The web-application interface wasn’t secure enough – and it was exposed to SQL injection attacks.

This points to a grave lack of secure software practices and failure in quality control and testing.

2. The passwords were stored in plain text in the database.

Industry standards dictate that passwords should be converted into a cryptographic hash.
This would have offered a second level of protection even if the database had been breached.

3. Serious lack of accountability

As a website catering to children – young girls below 13, and teenagers – the lack of company policy on secure software measures, on data protection, on data breach notification, and on accountability is not a trivial matter.

This may even be a breach of COPPA compliance and the website can be held liable if a lawsuit is filed.

What can the breached users do?

1. Change passwords on websites which have the same password – to prevent ripple effects of the breach.

2. Be vigilant and look-out for scam emails sent to the email-id – as they may be phishing attacks – and not click on any links in them or respond to them in any way.

3. Not use the same passowrd for multiple sites.

4. Not sign up on websites where it is possible to access services without logging-in.

5. Parents of children who use websites should be more careful with regard to where their children sign-up online and what information they provide.

What can companies do?

Before the breach-

1. Take customer privacy seriously and make it a vital part of the company’s work ethic.

2. Have a minimal-and-only-if-absolutely-necessary outlook towards data collection and retention – particularly if the company caters to children.

3. Have policies in place for database design, secure software development, testing (unit, regressive, penetrative), software updates and patches.
This will ensure encrypted hashed passwords and web interfaces without loopholes.

After the breach-

1. Notify users as soon as they are aware of the breach

2. Shut down services to prevent further bleeding

3. Review policies, and technical failures and start over by acknowledging the failures, taking responsibility for them and working towards being a company which makes security a priority

References-

1. http://arstechnica.com/security/2016/09/social-hangout-site-for-teens-leaks-millions-of-plaintext-passwords/

2. http://www.i-dressup.com/Noticedatabreach.php

3. https://haveibeenpwned.com/PwnedWebsites#iDressup