Cyber Incident Victim: Boxee
Date:
Mar 2014
Location:
United States of America
Summary
A hack targeting a web-based television service's forums exposed personal data for over 158,000 users, including names, email addresses, message histories, IP addresses, birth dates, and cryptographically scrambled passwords. The compromised information also contained site activity logs, password changes, and approximately 172,000 email addresses, distributed in an 800MB file circulating online. Password management services alerted affected individuals to update their credentials due to the exposure of partially protected login details and associated account histories. The breach included all user messages sent through the platform, revealing comprehensive communication records alongside technical account metadata.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The breach impacting Boxee.tv's user forums was publicly confirmed in late March or early April 2014, following the online circulation of an 800-megabyte data file containing extensive user records. This file exposed personal information tied to 158,128 Boxee.tv forum accounts, including names, email addresses (approximately 172,000 entries due to some users having multiple addresses), cryptographically hashed passwords, birth dates, IP addresses, site activity logs, full private message histories, and records of password changes. The compromised data originated from Boxee.tv's web-based television service forums, which operated prior to Samsung's acquisition of the company in July 2013. Attackers gained access to the complete message histories exchanged through the platform, revealing both content and metadata about user communications. The exposure included technical authentication details through password hashes, though the cryptographic protection reduced immediate credential misuse risks. Security researcher Scott A. McIntyre identified the broad availability of the stolen dataset by late March 2014, confirming its authenticity through analysis of the structured user records and message archives.
LastPass initiated customer notifications on April 1, 2014, warning users whose email addresses appeared in the leaked dataset. The password management service advised affected individuals to immediately update their Boxee.tv credentials and utilize LastPass's Security Challenge tool to identify other accounts using identical passwords. The public disclosure highlighted the exposure of persistent identifiers like IP addresses and birth dates, increasing risks of targeted phishing or identity theft campaigns. No information regarding containment measures by Samsung or Boxee.tv's operators was detailed in available reports. The incident's impact extended beyond credential exposure due to the publication of private communications, potentially compromising user relationships and trust in the discontinued platform's data stewardship practices.