CashCrate

CashCrate operates as an online rewards platform that pays users cash for completing surveys and other promotional offers. The service is headquartered in the United States of America. It targets consumers who wish to earn supplemental income by participating in market research studies. Users typically register an account, complete assigned surveys, and receive monetary compensation upon reaching a payout threshold.

The platform’s primary function was to connect market research firms with individuals willing to provide feedback through a web‑based interface. A distinguishing attribute noted after the 2017 breach was the storage of older user passwords in plaintext, while newer accounts were protected only by weak MD5 hashing. This indicated a lack of robust password protection mechanisms across the user base. Furthermore, the site did not employ basic encryption on its login pages, leaving credentials susceptible to interception during transmission. These security shortcomings highlighted a gap between the service’s consumer‑facing promises and its internal data protection practices.

On June 14, 2017, CashCrate suffered a security breach that compromised approximately six million user accounts. The attackers gained entry through a vulnerability in third‑party forum software integrated into the site. Exposed data included email addresses, full names, passwords, and physical addresses of affected users. The company stated that active users who had registered after a certain cutoff date benefited from stronger security protections, whereas older, inactive accounts remained vulnerable due to the legacy storage methods. The incident underscored the risks associated with relying on outdated authentication practices and insufficient transport‑layer security. Following the disclosure, CashCrate notified impacted users and advised them to change passwords on any services where they reused credentials.