Cyber Incident Victim: CashCrate
Date:
Jun 2017
Location:
United States of America
Summary
CashCrate suffered a breach compromising 6 million user accounts, exposing emails, names, passwords, and physical addresses. Older accounts stored passwords in plaintext, while later ones used weak MD5 hashing; the company stated active users since a certain period had stronger protections, but inactive accounts remained vulnerable. Attackers accessed data through third-party forum software, and the site lacked basic encryption on login pages.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In June 2017, cybersecurity researchers revealed a data breach affecting approximately 6 million user accounts belonging to CashCrate, a platform that compensated users for completing online surveys and product testing. The stolen database, provided to Motherboard by breach notification service LeakBase, contained email addresses, full names, physical addresses, and password credentials. Analysis of the compromised records showed accounts dating back to 2006, with early entries storing passwords in plaintext format. Accounts created from mid-2010 onward utilized MD5 hashing for password storage—an algorithm widely criticized in security circles for its vulnerability to cracking attempts. Verification tests conducted by Motherboard confirmed the database's authenticity, as attempts to register accounts using email addresses from the stolen data failed due to existing registrations. The breach timeline suggested prolonged exposure, with attackers potentially accessing credentials across an 11-year span from 2006 to 2017.
CashCrate's initial investigation attributed the breach to compromised third-party forum software, which the company immediately deactivated pending security review. The organization began notifying affected users while acknowledging discrepancies in password protection practices—confirming that active users since October 2013 had passwords secured with both hashing and salting techniques, while inactive accounts retained weaker protections. Company representatives pledged to convert all remaining plaintext passwords to hashed and salted formats. Security researchers noted additional vulnerabilities during the investigation, including CashCrate's failure to implement basic web encryption on login pages prior to the breach, potentially exposing credentials to interception. The incident exposed users to credential-stuffing attacks across other services due to password reuse, particularly impacting those with older accounts containing unprotected login credentials. Forensic evidence indicated the attackers exfiltrated data spanning multiple security eras of the platform's operation.