The personal details of 13 million DailyQuiz users have been leaked online earlier this year, The Record reports. A hacker breached the quiz builder’s database and stole its content, which he later put up for sale. DailyQuiz (formerly known as ThisCrush) is a popular personal quiz builder website.
The Record says it has obtained copies of the leaked data containing records of 12.8 million users. This includes unencrypted data from 8.3 million accounts in plaintext format – passwords, emails, and IP addresses.
DailyQuiz has confirmed the security breach took place. Currently, its website displays a pop-up notice:
“Due to optional security breach your password might have been exposed and we encourage you to update it.”
Since January 2021, the data has been up for sale on hacking forums and Telegram channels for a price of $2,000 paid in cryptocurrency. It made its way into the public domain this month when a security researcher found it and shared it with The Record.
The data has also been added to Have I Been Pwned, a breach database, which DailQuiz users can use to see if their personal details were among those that leaked.
The website’s operators can be partially blamed for the compromised personal data since they stored users’ passwords and other sensitive info in plaintext. DailyQuiz is not the first company to make this mistake. Others include Russian social media giant VK, crypto trading platform Robinhood, Italian email provider Email.it, Google’s G Suite platform, and Instagram.
Cybercriminals can use such leaked data to carry out credential stuffing attacks in an attempt to hijack the victim’s other accounts or for impersonation/identity theft.
By storing passwords in plaintext, websites do hackers a favor by allowing them to skip cracking hashed passwords (encrypted passwords).
DailyQuiz users should change their usernames, emails, and passwords on other sites right away if they reused there the ones associated with DailyQuiz.