Cyber Incident Victim: Weebly

In February 2016, attackers compromised Weebly, a website-building platform, resulting in the theft of over 43.4 million user accounts. The breach remained undisclosed until October 20, 2016, when LeakedSource, a breach notification site, published details of the incident alongside an unrelated Foursquare data exposure. Analysis of a data sample confirmed stolen records contained usernames, email addresses, IP addresses, and passwords protected by bcrypt hashing. Weebly subsequently acknowledged the breach but emphasized investigators found no evidence of unauthorized access to customer websites or fraudulent use of payment card data, noting the company did not store complete credit card numbers on its servers. The scale of the breach ranked among the largest reported that year, though the exact method of intrusion and attacker identity remained unconfirmed in public disclosures.

Weebly initiated customer notifications following LeakedSource’s disclosure, mandating password resets as a precautionary measure. The company’s public statement stressed ongoing internal reviews but did not specify whether forensic investigations identified vulnerability root causes or intrusion timelines beyond the February 2016 attack window. While the bcrypt protection reduced immediate credential misuse risks, the exposure of email addresses and IP addresses created potential phishing and targeting vulnerabilities for affected users. No follow-up reports confirmed malicious exploitation of the stolen Weebly data, and the company maintained its service operations without disclosing disruptions. The incident highlighted third-party breach notification services’ role in forcing disclosures, as Weebly’s confirmation occurred only after external analysis of the leaked dataset.