ClixSense data breach exposes personal information of millions of subscribers

Unhashed passwords, email addresses, and reams of personal data are now reportedly up for sale.
Written by Charlie Osborne, Contributing Writer
Stock image via CNET

ClixSense has become the victim of a cyberattack which has led to the data of millions of users being put up for sale.

This week, ClixSense, a website which offers users cash in return for completing surveys and watching ads, admitted to a data breach in which an attacker was able to gain access to the firm's database.

The unknown attacker was able to use an old server which the company was no longer using -- but was, at the time, still networked -- to gain access to the main database.

After gaining entry, the cybercriminal was able to copy "most, if not all" of the ClixSense users table, changed account names to "hacked account" and deleted a number of forum posts -- as well as set user account balances to a zero balance.

According to Ars Technica, Have I Been Pwned operator Troy Hunt verified the leak, in which account passwords in plaintext, user dates of birth, IP addresses, email addresses, account balances, and payment histories are all included in the file dump.

In total, 2.2 million records have been published, leaving the data of an additional 4.4 million up for grabs to the highest bidder.

A short-lived Pastebin message from the attackers advertising the stolen data also offered the ClixSense website source code for sale.

In a private message to Ars, ClixSense owner Jim Grago confirmed the breach and admitted the database contained entries for roughly 6.6 million accounts, lending credence to the file dump.

According to the executive, ClixSense became aware of problems on Sunday when the firm's lead developer noticed the website was redirecting to a gay pornography website, the result of an attacker tampering with DNS settings.

Once ClixSense detected the breach, the company was able to terminate the old, vulnerable server, restore user balances, accounts and names. However, ClixSense was not keen to restore from a backup due to the amount of time involved, and instead has asked some users to fill out their own details again.

ClixSense pulled a silver lining out of the cloud, however, by saying that the data breach has meant that "simply put, your ClixSense account information is now much more secure." Make of that what you will, but in the meantime, the company has also implemented a forced password change.

"To say this past week was a bit stressful is an understatement. It has taught us that regardless of what you do to stay secure, it still may not be enough," the company said. "We are continuing to improve ClixSense security all around and we will continue to keep you updated on any new developments."

The 10 step guide to using Tor to protect your privacy

Editorial standards