Cyber Incident Victim: Letterboxd

On February 15, 2024, Letterboxd detected unauthorized access to its systems following the compromise of an employee account by third-party attackers. The breach resulted in the theft of user data belonging to fewer than 1% of the platform’s user base. Letterboxd immediately isolated and secured the compromised account upon discovery to prevent further unauthorized activity. The attackers obtained access to email addresses, private Lists, Watchlists, and deleted content associated with affected accounts. No passwords, payment information, or other credentials enabling account takeover were accessed or exfiltrated during the incident. Letterboxd implemented unspecified security measures to reduce the likelihood of similar incidents occurring in the future. The company did not identify which specific users were impacted by the breach but notified all users via email about the incident.

The stolen data poses a risk of targeted phishing campaigns leveraging exposed email addresses and user activity details like Lists and Watchlists. Letterboxd acknowledged this secondary threat but confirmed no direct compromise of account integrity or financial systems. The platform advised users to employ unique passwords and enable two-factor authentication as general security precautions, though these measures were not presented as incident-specific remedies. No evidence suggests operational disruption to Letterboxd’s services beyond the data theft, and the breach investigation concluded without identifying additional compromised systems or threat actor attribution. The company’s public disclosure emphasized transparency regarding the scope of accessed data while confirming the containment of the breach to the initially identified entry vector.