No razzle-dazzle here! Hackers target Zazzle with run-of-the-mill brute-force attack

We’ve said it before: stop reusing passwords on different sites.

David bisson
David Bisson

No razzle-dazzle here! Hackers target Zazzle with run-of-the-mill brute-force attack

Online criminals have pulled off a tried-and-true password brute-force attack against online marketplace Zazzle.

On 25 August, the company notified the Office of the Attorney General in California about a security incident that might have undermined users’ account security. As Zazzle explains in a breach notification letter:

We take security extremely seriously at Zazzle and wanted to let you know that in July 2017, our Security Team detected a brute force data security attack. During this data breach, some unauthorized login attempts to Zazzle accounts were made, including one using your Zazzle username (email address) and password.

Sign up to our free newsletter.
Security news, advice, and tips.

Given the nature of the incident, Zazzle believes that your username (email address) and password may have been obtained by an unauthorized third party, through a breach of other website(s), who then tried to confirm your credentials on our site.

Those behind the attack attempted to authenticate users of the site without their authorization. They did this using password reuse attacks, or by stealing users’ login credentials publicly disclosed in the Weebly, Dropbox, LinkedIn, and other “mega-breaches” of 2016 (among other security incidents) and trying them across various web services.

At this time, it’s unclear just how many members the attack might have affected. Zazzle’s CTO Bobby Beaver estimates the attackers might have gained access to “thousands of accounts,” a general figure which he says represents only “a small percentage of accounts.”

But even if an attacker did access their profile, Beaver wants to reassure users that they can recover from the hack using the site’s password recovery mechanism.

As he told ZDNet:

“The reset procedure we referenced requires the user reconfirm their email address by sending a security token to that email address. As such, a malicious actor could not reset the password for the account — unless they had access to the email account itself, which is not in our control.”

Rather than take a chance with users’ accounts, Zazzle has imposed a mandatory password reset for all members. Users should therefore choose a strong password to protect their account whenever they next visit the online marketplace. Whatever they choose should be one that they haven’t used with any of their other accounts.

That’s not to say that Zazzle is sitting on its hands in the meantime, however.

The company has implemented a CAPTCHA to prevent automated login attempts. It’s also considering the activation of additional security measures.

Considering the fact that the company suffered two breaches in August 2016, Zazzle should look into extra measures – such as two-step verification (2SV) security feature.

If it follows that advice Zazzle’s users will thank it in the long-run.

David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.