The passwords weren’t properly encrypted after all

Mar 10, 2014 14:19 GMT  ·  By

On Saturday, we learned that statistics company Statista suffered a data breach. The company has responded to my inquiry about the incident and provided additional details.

It turns out that roughly 50,000 users are impacted by the data breach. The incident was discovered after spam emails started landing in email addresses that were used by the company only internally.

After the spam emails were spotted, the company reviewed its systems and discovered the intrusion, Statista representatives told me in an emailed statement.

The company’s representatives say that since the relaunch in December 2013, they’ve been using “512-bit encryption with salt.” However, the passwords of those who signed up before this date were stored in the Statista database as MD5 hashes. As many experts will tell you, MD5 passwords can be easily cracked.

Statista has sent out two types of notifications: one for customers whose passwords were encrypted with MD5, and one for those whose passwords cannot be cracked.

The company has reset the passwords of users whose accounts were not properly protected. Users who have registered an account more recently are not required to change their passwords, but they can do so, if they wish to, as a precaution.

Statista customers whose passwords have been exposed are advised to change all their passwords in case they’ve used the same one for multiple online services.

Also, since Statista has been getting spam emails, it’s likely that all of the 50,000 users whose email addresses have been exposed are receiving unsolicited emails. Users should act with caution if they come across suspicious emails in their inbox.

Updated to clarify that Statista has sent out different emails to users whose passwords were not properly encrypted. The original version of the article erroneously accused the company of misleading customers.