Plaintext passwords, usernames, e-mail addresses, and a wealth of other personal information has been published for more than 2.2 million people who created accounts with ClixSense, a site that claims to pay users for viewing ads and completing online surveys. The people who dumped it say they’re selling data for another 4.4 million accounts.
Troy Hunt, operator of the breach notification service Have I Been Pwned?, said he reviewed the file and concluded it almost certainly contains data taken from ClixSense. Besides unhashed passwords and e-mail addresses, the dump includes users’ dates of birth, sex, first and last names, home addresses, IP addresses, account balances, and payment histories.
A post advertising the leaked data said it was only a sample of personal information taken from a compromised database of more than 6.6 million ClixSense user accounts. The post said that the larger, unpublished data set also includes e-mails and was being sold for an undisclosed price. While the message posted over the weekend to PasteBin.com has since been removed, the two sample database files remained active at the time this post was being prepared. The Pastebin post, which was published on Saturday and taken down a day or two later, read in part:
HUGE new leak! from the clixsense.com site:
~databases including ‘users’ with 6,606,008 plaintext pass, username, emails, address, security answer, ssn, dob.
~emails business + personal (more than 70k emails sent+received)
~source code for site (complete)
The post went on to say that most of the compromised personal information was current as of last month and that e-mail and some of the other data was last updated earlier this month. If true, that would make the data much more valuable than many of the recent leaks such as the one from Dropbox, which dates back to 2012.
Thoroughly hacked
In a private message, ClixSense owner Jim Grago confirmed that his company’s servers, domain name system settings, and e-mail were all completely compromised. He also confirmed that the database contained entries for about 6.6 million accounts, adding further credence to claims attackers made in the now-deleted Pastebin post. In the message, Grago wrote: