Cyber Incident Victim: Promo.com
Date:
Jul 2020
Location:
Israel
Summary
A marketing video creation platform experienced a data breach when a third-party service vulnerability led to the exposure of 22 million user records, including email addresses, names, geographic locations, and genders. Approximately 2.6 million hashed and salted passwords were compromised, with 1.4 million already cracked and publicly available, heightening credential stuffing risks. Social media login tokens were also exposed, though no financial information was accessed. The company mandated password resets for affected accounts upon next login and advised users to update credentials across other services. The leaked dataset was subsequently verified and added to a public breach notification service.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In July 2020, Promo.com, an Israel-based marketing video creation platform, experienced a significant data breach when a database containing 22.1 million user records was leaked on a hacker forum. Cybersecurity intelligence firm CloudSEK identified the breach after a well-known data seller posted the database for free, offering records that included email addresses, names, genders, and geographic locations. Approximately 2.6 million of these records contained hashed passwords, while 1.4 million passwords had already been cracked and were openly accessible, increasing the risk of credential stuffing attacks. The leaked post was temporarily removed but later reappeared on the same forum, extending the exposure window. Promo.com confirmed the breach stemmed from a vulnerability in a third-party partner’s service, affecting users of both Promo and its subsidiary Slidely. The compromised data did not include financial information but exposed IP addresses, gender details, email addresses, full names, and hashed passwords protected with a salt. The inclusion of the salt in the leaked data simplified password-cracking efforts, as attackers could more efficiently reverse-engineer the hashed credentials.
Promo.com issued a breach notification advising users to immediately change their passwords and adopt unique credentials across all online accounts, suggesting the use of password managers. The company acknowledged that even encrypted passwords could eventually be decrypted over time, heightening long-term risks. Additionally, social media login tokens tied to Promo.com accounts were exposed, prompting recommendations for users to regenerate these tokens where possible. The company enforced mandatory password resets for all affected accounts upon users’ next login attempts. Customers were explicitly warned that cracked passwords could facilitate attacks on other platforms if credentials were reused. To aid verification, the breached dataset was submitted to Have I Been Pwned, a service tracking compromised accounts. The incident underscored the operational and reputational impacts of third-party vulnerabilities, while the public availability of cracked passwords amplified immediate threats to user security across multiple services.