Tech

Evite e-invite website admits security breach

Company comes clean after a hacker put its data up for sale on the dark web in April.

Written by Catalin Cimpanu, Contributor June 11, 2019 at 9:02 a.m. PT

See als

10 dangerous app vulnerabilities to watch out for (free PDF)

Evite, a social planning and e-invitations service, and one of the biggest sites on the Internet, has officially admitted to a security breach that ZDNet first reported back in April.

At the time, a hacker named Gnosticplayers put up for sale the customer data of six companies, including Evite.

The hacker claimed to be selling ten million Evite user records that included full names, email addresses, IP addresses, and cleartext passwords.

ZDNet reached out to notify Evite of the hack and that its data was being sold on the dark web on April 15; however, the company never returned our request for comment.

Hack took place in February 2019

But over the weekend, Evite published a FAQ page on its website, admitting to the hack, and publishing more details about the incident.

The company said that following an investigation, it tracked the incident to "malicious activity starting on February 22, 2019."

Evite said the malicious intruder stole "an inactive data storage file" that was holding information on some Evite user accounts. According to the company, the file -- which appears to have been an old backup -- didn't store "user information more recent than 2013."

As part of its remediation efforts, Evite said it would prompting users to reset their passwords during their next login.

Evite also provided a clearer image of what was stored inside the file the hacker stole from its server.

"Potentially affected information could include names, usernames, email addresses, passwords, and, if optionally provided to us, dates of birth, phone numbers, and mailing addresses," the online e-invite portal said.

No SSNs, or financial data stolen

No financial data and Social Security Numbers were exposed, Evite said, as it doesn't collect SSNs, and all financial data is handled by a third-party vendor.

The company also said it notified law enforcement of the incident, and "worked with an outside security expert to address the vulnerabilities and remediate the incident."

Evite is currently ranked among the Alexa Top 3,000 most popular sites on the Internet, at #2,744. In 2018, the site claimed it had "100+ million annual users."

The service is also one of the oldest sites around, recently celebrating its 21st birthday. It was founded in 1998.

Back in April, the data of 10 million Evite users was put up for sale on a dark web marketplace for ฿0.2419 (~$1,900). The same hacker has breached, stolen, and put up for sale the details of over one billion users from many other companies, including other major online services, such as Canva, 500px, UnderArmor, ShareThis, GfyCat, Ge.tt, and others.