Social Blade Suffers Data Breach
The Threat Actor Gained Access to Users’ Personal Information.
On December 14th, Social Blade, a statistics website that allows its users to track statistics and measure growth across multiple Social Media platforms such as YouTube, Instagram, and Twitch, notified its clients about a potential data breach. The company is yet to release a statement regarding the number of users affected by the breach.
We were notified of a potential data breach whereby an individual had acquired exports our user database and were attempting to sell it on a hacker forum. Samples were posted and we verified that they were indeed real. It appears this individual made use of a vulnerability on our website to gain access to our database.
Social Blade in a notification email sent to its users
What Happened and What Data Was Stolen?
The company made sure to assure its users that credit card information was not leaked during the data breach, however, other personal information was.
The threat actor responsible for the attack gained access to notable pieces of information including email addresses, IP addresses, password hashes, client IDs and tokens for Social Blade’s business API users, authentication tokens for connected accounts, and many other pieces of non-personal and internal data. A small subset of data (about a tenth of a percent) also included addresses.
While account password hashes were leaked, we have never stored your password in plain text so your password is still secure.
The passwords of Social Blade users are hashed using the bcrypt algorithm. Due to the complexity of bcrypt, the company determined that resetting everyone’s passwords was not a necessary step, but for extra security, it wouldn’t hurt to change your password.
Notification email sent by Social Blade to its users
Social Blade Takes Action
The company has started to investigate the event and possible causes that might have triggered it.
We’re doing additional reviews to ensure that the security of all of our systems are further hardened to prevent future incidents.
Business API users were already informed that their authentication tokens had been modified to bar access from outside sources through a separate email.
Users who had linked other social media accounts where an authentication token was maintained have also, when necessary, been cycled to ensure that none of the associated accounts are in danger.
Social Blade apologized for the inconvenience created and assured its users that they are doing everything they can to prevent such incidents from occurring in the future.
We are all too aware that bad actors will continue to attempt to infiltrate IT infrastructures around the world, and rest assured we at Social Blade will never be complacent in hardening our security and defenses.
The company ended the announcement by advising them to be vigilant, and reminding its clients that no one at Social Blade will ever reach out to them to ask for a password or credit card number over email.