The exposed data consisted of information such as names, location, email IDs, gender, date of registration, IP addresses, connected social media profiles, expired OAuth tokens, and user birthdays. Although Mashable hasn’t exposed the identity of its hacker, it stated that the perpetrator is “a hacker known for targeting websites and apps”, and that they have “posted a copy of a Mashable database to the internet”.
The vulnerability that enabled this breach was associated with the website’s social media sign-in feature, which has since been disabled. Mashable claims it was notified about the breach on November 04, 2020, after which it verified and confirmed the hack.
With a user base largely concentrated in the US, UK, Canada, Australia, and India, a significant amount of Mashable’s traffic can be attributed to its social media presence – from Facebook to Twitter, Reddit to Pinterest.
Mashable assured its users that while some of their details have been leaked, financial data is not stored and therefore not exposed. It has temporarily disabled all affected accounts, to minimize the damage caused.
“Additionally, based on our investigation to date, we have no reason to believe that any user password data was accessed.”, it stated.
Adding that “Protecting our users’ data is one of our highest priorities. We are working hard to investigate the issue and prevent it from happening again.”, Mashable also issued general safety tips.
It advised users to contact Mashable on receiving suspicious emails related to website, keeping passwords and personal information private, and confirming odd Mashable communications by using other forms of communication.
While Mashable took 4 days to report the breach publicly, security experts deemed its PR response as appropriate and worth appreciating. The company made sure to report all relevant details to its users, assured them about the security of their financial data and passwords, and added safety tips against possible phishing attempts.