Wappalyzer discloses security breach after hacker starts emailing users

Wappalyzer tells ZDNet that only 16,000 users have been impacted in the incident.

Wappalyzer

Image: ZDNet, Wappalyzer

Tech company Wappalyzer has disclosed a security incident this week after a hacker began emailing its customers and offering to sell Wappalyzer's database for $2,000.

"If you receive this e-mail it's because we get the full database of Wappalyzer, and your e-mail is on the database," the hacker, going by the name of CyberMath, wrote in an email sent to Wappalyzer customers this week.

"I'm selling the full .sql for 2000$ in Bitcoin," the hacker added, while also sharing screenshots of the stolen database files.

wappalyzier-screens.png

Image: ZDNet

Wappalyzer did not dispute the fact that it suffered a security breach. As soon as the hacker began email customers, the company sent out an email of its own.

In a data breach notification email, Wappalyzer confirmed the incident and said the hack took place on January 20 when an intruder accessed one of its databases, which the company said it left exposed online due to a misconfiguration.

However, while the company admitted there was a hack, it downplayed the severity of the security breach.

"Some of our customers received an email from the perpetrator offering to sell stolen datasets. This data does not include personal information. If you receive such an email, mark it as spam and do not reply or click any links as it's likely a scam," the company told customers.

In an email interview today, Wappalyzer founder Elbert Alias told ZDNet that the stolen database mostly contained "technographic data."

The company, which started as a Firefox add-on in 2008, lets users scan websites and receive a report about what technology stacks (server type, CMS, JS libraries, etc.) the site is using. Users can look up one website at a time, multiple websites in bulk, or they can buy statistical data on the most common web technologies used today.

Technographic data is the data the company collects about all the scanned websites, and it is also the data the company sells through its Datasets section on its official website.

Alias told ZDNet the hacker breached and stole this data from a database powering its old website.

"Our new website went live two weeks ago and no longer uses the legacy database that was breached," Alias said.

Hacker also stole emails and billing info for 16,000 customers

But while most of the stolen data were stats about websites and their underlying technologies, some user information was also included.

"The database also contained email addresses of anyone who has requested a quote for a dataset, and billing addresses of anyone who has placed an order," Alias said.

Emails for up to 16,000 Wappalyzer customers were taken in the incident, Alias told ZDNet. The number of billing addresses is most likely lower, as not all customers who requested a price quote also followed through with an order.

Details like passwords or payment card details were not included.

All in all, the hacker doesn't appear to have stolen any meaningful information, hence the reason they're now trying to trick customers into buying the data.

"We've advised our users against attempting to purchase data from a criminal for Bitcoin, as they may well get nothing in return," Alias told us.

"The stolen data is already outdated. Our datasets are updated continuously and never contain data more than three months old."

[Below are Wappalyzer's breach notification email on the left and the hacker's email on the right.]

wappalyzer-emails.png

Image: Arif Khan (supplied)