More than 1.8 million accounts and 808K emails leaked

Nov 26, 2018 19:39 GMT  ·  By

Social network Knuddels.de got a €20,000 fine for violating Art. 32 of EU's General Data Protection Regulation (GDPR) on November 21 from the data protection authority of the German state of Baden-Württemberg (LfDI) for storing and leaking its users' plain text passwords.

The fine received by Knuddels could have been a lot bigger considering that since May 2018 EU's new data protection regulations provide for penalties of up to €20 million or, in the case of companies, for up to four percent of the worldwide annual turnover.

Moreover, the social network has to pay only €20,000 because of its exemplary cooperation with the German watchdog during the entirety of the data breach investigation process according to LfDI's data protection commissioner Stefan Brink.

After detecting the attack on its computing systems during the summer of 2018, Knuddels immediately sent a data breach notification to the LfDI informing the authority that roughly 1,872,000 usernames and passwords, as well as 808,000 e-mail addresses, were stolen and published by unauthorized parties on the Mega.nz website.

On the whole, 330,000 Knuddels users were affected by the attack

Besides the trove of usernames and passwords stolen, the attackers also managed to steal personally identifiable information such as addresses and real first name of the users affected by the hack.

In the notification sent to its users, Knuddels also said that "The most important first step is to change your passwords. If you have already done that today, everything is fine. If you have not done that yet, please do it immediately. Please log into the chat and follow the instructions there."

All in all, the data breach attack suffered by Knuddels during the summer affected the data of roughly 330,000 users which had their usernames and passwords stolen, together with home addresses and names.

"Those who learn from harm and act transparently to improve data protection can emerge stronger as a company from a hacker attack," said Brink.

Also, "As a fine, the LfDI is not interested in entering into a competition for the highest possible fines. In the end, it's about improving privacy and data security for the users."