Website builder leaks data of 200K users

Last updated: 20 February 2024
Ucraft
Image by Cybernews

Website builder Ucraft leaked the data of hundreds of thousands of users, which malicious actors have accessed and distributed.

During a recent investigation, the Cybernews research team discovered a publicly accessible Google Cloud Storage Bucket belonging to Armenia-based IT company Ucraft. The company provides an online design tool to build websites.

Ucraft
Leaked user data. Source: Cybernews
ADVERTISEMENT

The bucket contained database backups and logs from 2018, which exposed sensitive user information. The leaked data poses a severe threat to Ucraft’s users, as malicious actors can use it for a variety of attacks. These include things like phishing, doxxing, spam, identity theft, credential stuffing, account takeovers, and the exploitation of Ucraft’s internal systems and websites hosted by them.

Worryingly, the data remained publicly accessible for an extended period, and it was accessed by malicious actors. In March 2023, the database was posted on a hacker forum. On January 5th, 2024, when Cybernews researchers stumbled on the bucket, it was still publicly accessible.

The leaked data includes:

  • Unredacted domain registration information – email addresses, phone numbers, names, and home addresses.
  • User email addresses
  • Hashed passwords
  • Old passwords
  • Transaction data and partial credit card details
  • Database hosts and database names for users’ sites.

Cybernews contacted the company, and the access was secured. An official comment on the matter is yet to be received.

Leaking domain data is hazardous

Leaking domain registration information poses a high risk of exploitation, as it contains the contact information of the domain’s owner. Normally, publicly available domain information is redacted for privacy reasons to avoid attacks.

Ucraft
Leaked domain data. Source: Cybernews
ADVERTISEMENT

Access to unredacted domain registration information could be valuable for attackers to try to phish or spam the domain owner. Also, identifying the website’s owners could lead to doxxing, as domain registration information has often been used to harass owners across different platforms.

The leaked database backups also contained user passwords. While the passwords were hashed, some of them were hashed using a less secure MD5 hashing algorithm.

Ucraft
Leaked old passwords. Source: Cybernews

It's probable that when the leaked database backups were created, Ucraft was in the process of transitioning to a more secure password-hashing algorithm.

During transitions to new hashing algorithms, users typically need to log in and change their password. The leaked database contained hashes of old passwords as well, meaning that attackers had access to multiple passwords created by the same user. This made it easier to identify users who changed their passwords in a predictable manner or only slightly.

ucraft
Sites' data. Source: Cybernews

By exploiting these passwords, attackers could have potentially gained access to other users' Ucraft accounts through generalized credential stuffing or targeted attacks to log into the website's administration panel.

Share
Post
Share
Share
Share
More from Cybernews
“They’re still sulking about the EU switching to USB C:” users react to Apple’s next iPhone plans
Rooting Android invites hackers: up to 3,000 times more vulnerable
Phishing campaign shifts focus to Macs after browsers enhance security on Windows
Links to the “free” TradingView version hide crypto-stealing malware on Reddit
Jensen Huang’s quantum pivot: when tech leaders admit they’re wrong
Meta AI rolling out in Europe in the coming weeks
ADVERTISEMENT
Leave a Reply

Your email address will not be published. Required fields are markedmarked