Android community MoDaCo suffers data breach, user database stolen

Hackers appear to have broken in via a compromised admin account.

Graham Cluley
Graham Cluley
@[email protected]


UK-based Android community MoDaCo has suffered a data breach, potentially exposing a database of hundreds of thousands of online users.

MoDaCo founder Paul O’Brien has issued a statement, apologising to affected users and stating that all stored passwords are salted and hashed:

Modaco statement

Sign up to our free newsletter.
Security news, advice, and tips.

Part of the statement reads as follows:

Earlier today a number of users contacted us to inform us that data breach tracking site,, is notifying users of a data breach of the MoDaCo database.

After initial investigations, we have determined that this report is correct – a dump of the MoDaCo database has been extracted by an unauthorised entity.

First of all – we are of course very disappointed that this has happened, the security of your data is very important to us – I appreciate we’ve let you down in this regard but hope we can allay some concerns and do our best to rebuild your confidence starting now.

MoDaCo runs on a market leading CMS, is regularly updated and runs on a server which too receives regular updates and security scans. We chose the CMS we use because it receives frequent security fixes and most importantly, stores passwords in a very secure Blowfish based form.

Although password details might be out of the hands of hackers, it seems that other personal information – such as usernames and email addresses – may have been exposed. As a result, affected users would be wise to be on the lookout for phishing attacks and spam campaigns.

Interestingly, MoDaCo says that it believes that the hackers gained access to the user database after compromising an administrator’s account. Whether that was through a phishing an admin’s passwords, or the administrator making the mistake of using an easy-to-crack password or reusing the same password across multiple sites is not clear.

But one can definitely make the case that additional authentication methods – such as two-factor authentication – might have gone some way to better protect the community’s admin accounts from being accessed by unauthorised users.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.