Font sharing site DaFont has been hacked, exposing thousands of accounts

Over 98 percent of the passwords were cracked, thanks to the site's poor password security.

(Image: file photo)

A popular font sharing site DaFont.com has been hacked, exposing the site's entire database of user accounts.

Usernames, email addresses, and hashed passwords of 699,464 user accounts were stolen in the breach, carried out earlier this month, by a hacker who would not divulge his name.

The passwords were scrambled with the deprecated MD5 algorithm, which nowadays is easy to crack. As such, the hacker unscrambled over 98 percent of the passwords into plain text. The site's main database also contains the site's forum data, including private messages, among other site information. At the time of writing, there were over half-a-million posts on the site's forums.

The hacker told ZDNet that he carried out his attack after he saw that others had also purportedly stolen the site's database.

"I heard the database was getting traded around so I decided to dump it myself -- like I always do," the hacker told me. Asked about his motivations, he said it was "mainly just for the challenge [and] training my pentest skills." He told me that he exploited a union-based SQL injection vulnerability in the site's software, a flaw he said was "easy to find."

The hacker provided the database to ZDNet for verification.

We verified a little over a dozen accounts by enumerating disposable email accounts with the site's password reset function. (We have more on how we verify breaches here.) In each case, the site validated the email address and was sent a new password (in plain text) to the disposable email account.

The hacker also provided the database to Troy Hunt, who runs breach notification site Have I Been Pwned.

Hunt's analysis of the database confirmed 637,340 unique email addresses in the database, with 62 percent of those email addresses already in his database.

While the hack of DaFont is far from the biggest data breach we've covered, it could still cause considerable headaches for a lot of people -- even if the free site didn't store any payment or other critically sensitive data. That's because this breach involves a huge trove of email addresses and passwords that could allow a hacker to break into other, more sensitive sites and services that share the same password.

In the case of corporate accounts, that could lead to further data breaches of sensitive and confidential business files. Among the confirmed email addresses we found in the breach, several accounts belonged to Microsoft, Google, and Apple corporate accounts.

Dozens of accounts were also associated with UK and US government agencies.

Several attempts to contact the site's registered owners prior to publication by phone and email were unsuccessful. In an email after we posted, a spokesperson said: "We have been made aware of vulnerabilities and we are actively working to fix them. Some vulnerabilities had already been fixed before the ZDNet article. We have taken immediate measures to limit malicious access to user's accounts."

Anyone thought to be affected by the breach can now search for their data in Have I Been Pwned.

Contact me securely

Zack Whittaker can be reached securely on Signal and WhatsApp at 646-755–8849, and his PGP fingerprint for email is: 4D0E 92F2 E36A EC51 DAAE 5D97 CB8C 15FA EB6C EEA5.

Read More

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All