Cyber Incident Victim: Knuddels.de
Date:
Jul 2018
Location:
Germany
Summary
A German social network experienced a data breach compromising approximately 808,000 email addresses and over 1.8 million usernames with passwords stored in plain text. The incident prompted immediate security enhancements, user notifications, and password resets, alongside cooperation with regulatory authorities. The organization received a €20,000 GDPR penalty—Germany's first under the regulation—for failing to implement adequate data protection measures like pseudonymization and encryption. Mitigating factors included transparent communication, rapid corrective actions, and collaborative engagement with oversight bodies, resulting in a reduced fine despite the significant scale of exposed user credentials.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On July 20, 2018, the German social network and flirty chat platform Knuddels.de experienced a data breach compromising all user accounts active on that date. Attackers infiltrated the platform's servers and exfiltrated approximately 808,000 email addresses alongside over 1.8 million usernames and associated passwords. The stolen data was subsequently published in unencrypted form on two public platforms: Pastebin and the Mega cloud storage service. Knuddels.de staff confirmed the breach impacted every individual who maintained an account or chat username on the service as of the intrusion date. Forensic analysis revealed the platform had stored user passwords in plain text without pseudonymization or encryption, violating fundamental data protection principles. Among the leaked records, 330,000 email addresses were verified as active. Upon discovering the unauthorized data disclosures, Knuddels.de initiated immediate response measures including password resets for all affected users, direct notifications to the user base, and implementation of enhanced security protocols to prevent recurrence.
The Baden-Württemberg Data Protection Authority (LfDI) imposed Germany's first General Data Protection Regulation (GDPR) penalty against Knuddels.de in November 2018, issuing a €20,000 fine ($23,000 USD equivalent). Regulators determined the platform violated Article 32(a) of the GDPR by failing to encrypt or pseudonymize sensitive user credentials, constituting a breach of mandated security standards. Mitigating factors included Knuddels.de's rapid containment actions—completing security upgrades and user communications within weeks—alongside full cooperation with investigators and demonstrated organizational transparency throughout the process. LfDI State Commissioner Stefan Brink emphasized the penalty reflected corrective objectives over punitive measures, acknowledging the company's agreement to implement additional security controls under regulatory supervision. While the financial penalty represented a fraction of GDPR's maximum allowable fines, the incident compelled Knuddels.de to undertake unplanned infrastructure improvements, incurring operational costs beyond the levied fine. No evidence suggested malicious exploitation of the exposed credentials prior to containment.