Cyber Incident Victim: Wattpad
Date:
Jul 2020
Location:
Canada
Summary
A stolen database containing approximately 270 million records from Wattpad was initially sold privately by the Shiny Hunters group before being released freely on hacker forums. The compromised data included usernames, email addresses, hashed passwords (with a mix of bcrypt and SHA256 algorithms), names, and general geographic locations, though the company confirmed no financial information, private messages, stories, or phone numbers were accessed. External security consultants assisted in investigating the breach, and passwords for all users were reset as a precautionary measure. The incident involved impersonation of a journalist during the public release of the data, and the number of affected records exceeded the platform's reported user base at the time.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In early July 2020, cybersecurity communities observed private sales of an alleged Wattpad database containing 270 million records, with threat actor group Shiny Hunters reportedly offering it for approximately $100,000 in Bitcoin. BleepingComputer began tracking these claims on July 7th after receiving anonymous tips, later obtaining sample records that included usernames, real names, email addresses, geographic locations, and passwords hashed with both bcrypt (145 million) and SHA256 (44 million). One contacted user confirmed the accuracy of their exposed information. Wattpad initially engaged external security consultants to investigate while withholding confirmation of the breach, though Kier Hume, their Director of PR & Communications, acknowledged awareness of unauthorized data access reports. By July 14th, Wattpad issued a statement confirming the incident but asserted no financial data, phone numbers, private messages, or user-generated stories were compromised, emphasizing that active user passwords were cryptographically hashed and salted.
The stolen database resurfaced publicly on July 14th when an impersonator of ZDNet reporter Catalin Cimpanu posted it for free on a hacker forum, escalating dissemination risks. This release occurred amid tensions between Shiny Hunters and security researcher Vinny Troia, who had threatened to expose the group’s identities. Wattpad’s investigation continued through July 20th, when the company mandated password resets for all users as a precautionary measure, advising against password reuse across platforms. The 271 million records cited in the breach significantly exceeded Wattpad’s reported 80 million users in 2019, raising questions about data duplication or historical accumulation. BleepingComputer could not independently verify the full database’s authenticity beyond initial samples, while Wattpad maintained its remediation efforts focused on containment and reinforcing user trust without disclosing specific intrusion methods or attacker origins.