Cyber Incident Victim: DailyQuiz
Date:
Jan 2021
Location:
United States of America
Summary
A cybersecurity incident impacted DailyQuiz, exposing personal details of 13 million users, including 8.3 million plaintext passwords alongside emails and IP addresses. An attacker breached the company’s database, stole the data, and sold it via hacking forums and Telegram channels before it leaked publicly. The company acknowledged the breach through a website notification but provided no further details, with the exposure of unprotected passwords highlighting a critical security failure.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In early January 2021, a hacker breached the database of DailyQuiz, a quiz-building platform, and stole personal details of 13 million users. The compromised data included plaintext passwords, email addresses, and IP addresses for 8.3 million accounts, alongside additional user information affecting 12.8 million individuals. The attacker listed the stolen dataset for sale on underground hacking forums and Telegram channels shortly after the breach, pricing it at $2,000 in cryptocurrency. Throughout January 2021, the data circulated among cybercriminal buyers through private transactions. By mid-January, the information entered the public domain after being redistributed via data brokers, prompting a security researcher to share a sample with The Record for verification. The exposure of plaintext passwords represented a severe security failure, as industry standards mandate cryptographic hashing for password storage. DailyQuiz acknowledged the incident through a popup notification on its website but provided no detailed public statements or responses to media inquiries regarding the breach's origin or scope.
The leaked credentials exposed affected users to credential stuffing attacks, where cybercriminals attempt to access other accounts using reused passwords. DailyQuiz advised impacted individuals to verify their exposure status through the Have I Been Pwned breach notification service and to change passwords on any platforms where they had reused DailyQuiz credentials, particularly for accounts linked to financial or social media services. No evidence indicated that DailyQuiz implemented additional protective measures for users beyond this advisory. The incident drew attention to systemic security shortcomings, as the company joined other organizations like VK, Email.it, Robinhood, Google's G Suite, and Instagram in facing breaches attributable to plaintext password storage practices. The sale and subsequent public leakage of the database created persistent risks of account takeovers and identity fraud for millions of users due to the unencrypted nature of the compromised credentials.