Threat Watch

Havenly Discloses Data Breach

Havenly, an online interior design and home decoration site based in the US, has disclosed a breach that exposed a database containing approximately 1.3 million user records. Confirmed last week by BleepingComputer, a hacking group named ShinyHunters leaked databases from 18 companies on a hacker forum. From the sample evaluated, the Havenly database leak contained the user’s login name, full name, MD5 hashed password, email address, phone number, zip code, and various other data. With the breach disclosure, Havenly began notifying users of the breach and forced a mandatory reset of all passwords. 

ANALYST NOTES

Even though the passwords were hashed, since Havenly used the older MD5 algorithm with no “salting” or randomness added to the password before hashing, it is extremely fast and easy for attackers to crack the hashes and recover the passwords using even modest computing power. Then they could use that password to try to login to other websites with the same email address and password, a common attack known as credential stuffing. Users should immediately change their password to a strong and unique one. A best practice for picking a password is to let a password manager choose a completely random sequence of letters, numbers and symbols, or use a long passphrase instead of a simple word if it must be remembered. Even a physical notebook with passwords written down is better than using dictionary words or names as passwords. Passwords should also never be used on more than one site or service, to guard against credential stuffing. There are several password managers available that can help keep track of all the passwords used.

Source Article: https://www.bleepingcomputer.com/news/security/havenly-discloses-data-breach-after-13m-accounts-leaked-online/