Website builder leaks data of 200K users

Website builder Ucraft leaked the data of hundreds of thousands of users, which malicious actors have accessed and distributed.

During a recent investigation, the Cybernews research team discovered a publicly accessible Google Cloud Storage Bucket belonging to Armenia-based IT company Ucraft. The company provides an online design tool to build websites.

Leaked user data. Source: Cybernews

The bucket contained database backups and logs from 2018, which exposed sensitive user information. The leaked data poses a severe threat to Ucraft’s users, as malicious actors can use it for a variety of attacks. These include things like phishing, doxxing, spam, identity theft, credential stuffing, account takeovers, and the exploitation of Ucraft’s internal systems and websites hosted by them.

Worryingly, the data remained publicly accessible for an extended period, and it was accessed by malicious actors. In March 2023, the database was posted on a hacker forum. On January 5th, 2024, when Cybernews researchers stumbled on the bucket, it was still publicly accessible.

The leaked data includes:

  • Unredacted domain registration information – email addresses, phone numbers, names, and home addresses.
  • User email addresses
  • Hashed passwords
  • Old passwords
  • Transaction data and partial credit card details
  • Database hosts and database names for users’ sites.

Cybernews contacted the company, and the access was secured. An official comment on the matter is yet to be received.

Leaking domain data is hazardous

Leaking domain registration information poses a high risk of exploitation, as it contains the contact information of the domain’s owner. Normally, publicly available domain information is redacted for privacy reasons to avoid attacks.

Leaked domain data. Source: Cybernews

Access to unredacted domain registration information could be valuable for attackers to try to phish or spam the domain owner. Also, identifying the website’s owners could lead to doxxing, as domain registration information has often been used to harass owners across different platforms.

The leaked database backups also contained user passwords. While the passwords were hashed, some of them were hashed using a less secure MD5 hashing algorithm.

Leaked old passwords. Source: Cybernews

It's probable that when the leaked database backups were created, Ucraft was in the process of transitioning to a more secure password-hashing algorithm.

During transitions to new hashing algorithms, users typically need to log in and change their password. The leaked database contained hashes of old passwords as well, meaning that attackers had access to multiple passwords created by the same user. This made it easier to identify users who changed their passwords in a predictable manner or only slightly.

Sites' data. Source: Cybernews

By exploiting these passwords, attackers could have potentially gained access to other users' Ucraft accounts through generalized credential stuffing or targeted attacks to log into the website's administration panel.

More from Cybernews:

I installed top 100 apps: my Android phone contacted Russia and China at night

Burglars using jammers to disable wireless smart home security

Polish parliamentary commission convenes to probe use of Pegasus

OpenAI’s Sora creates sensational videos

Air Canada responsible for chatbot’s actions after all

Subscribe to our newsletter

Leave a Reply

Your email address will not be published. Required fields are markedmarked