14 DAY TRIAL // A hacker managed to bypass the security mechanisms implemented by online clothing and accessories store David Morgan, leaking usernames, represented by emails, and password hashes.
The hacker posted a number of 6,000 credential sets on Pastebin, but he claims that he obtained more than 24,000 in total.
“Ohai, still out there bringing you freshly dumped data from all over the world wide web. This one is a bit special, the dump is from an online shop called David Morgan. They're supposed to be this ‘secure online catalog’, but I guess they aren't? Lulz!” the hacker said.
The hacker also warns that a lot of the email addresses utilized as usernames end in .mil and .gov domain extensions which is an indication that members of the government and military may be exposed as a result of the hack.
“Using your work e-mail on unsecured websites could result in your work e-mail getting pwnd,” said the hacker.
He identified 71 .mil and 76 .gov email addresses among the leaked data. Besides the military and government email addresses, the leak also contains a lot of usernames represented by company emails which may be used to launch targeted social engineering attacks.
We have contacted David Morgan to find out if they’re aware of the breach and to learn if any measures have been taken to protect their customers.
In the meantime, users who own a David Morgan account are advised to immediately change their passwords. Also, those whose accounts are registered with the company email should be on the lookout for any suspicious messages that may land in their inboxes in the upcoming period.
In this situation, cybercriminals send so-called Security Advisory emails that seem to come from the company’s internal IT department, notifying the recipient of a security flaw that needs to be patched using an attached file.