DaFont hack: Popular font sharing site's entire database of registered users exposed

Hyacinth Mascarenhas
password

Popular font sharing site DaFont's entire database of user accounts has reportedly been compromised by an unknown hacker earlier this month. ZDNet reports that the usernames, hashed passwords and email addresses of 699,464 registered user accounts were stolen in the hack.

Although DaFont does hash its users' passwords, the site used the outdated MD5 hashing algorithm to scramble passwords, which has proven to be easy to crack. The hacker told the tech site that he was already able to decrypt over 98% of the passwords into plain text.

Trending: RAF Reaper drone strike saves Isis prisoners from public execution

Users that employ the seemingly routine, but extremely unsafe practice of using the same password across multiple platforms and services could risk having their other accounts compromised as well.

DaFont's database also included the site's forum data, private messages and other site information.

Don't miss: From accidental penis sketch to $5bn 'spaceship': Apple Park is preparing to launch

"I heard the database was getting traded around so I decided to dump it myself - like I always do," the hacker told ZDNet. The attacker said he did it "mainly just for the challenge [and] training my pentest skills."

To carry out the attack, the hacker said he exploited an "easy to find" union-based SQL injection vulnerability in the website's software.

Most popular: Who is 22-year-old cyber hero who stopped the WannaCry attacks?

IBTimes UK has reached out to DaFont for comment.

The hacker provided the stolen database to ZDNet and security expert Troy Hunt, the administrator of the breach notification site Have I Been Pwned, for verification.

Hunt's analysis found the database 637,340 unique email addresses. He also found 62% of those email addresses were already in his database from earlier breaches.

The confirmed email addresses found in the breach included several corporate accounts belonging to staffers at Microsoft, Google and Apple. Multiple accounts associated with government agencies in the US and UK were also found.

You may be interested in:

By using Yahoo you agree that Yahoo and partners may use Cookies for personalisation and other purposes