FONT REPOSITORY AND DOWNLOAD SITE DaFont has been breached and a very significant percentage of its passwords pilfered.
98 per cent of passwords is the quoted number and the word is that the encryption was as weak as bad tea. Troy Hunt at Have I been Pwned got the skinny on this, and reckons that the site did not get away lightly.
"In May 2017, font sharing site DaFont suffered a data breach resulting in the exposure of 637k records. Allegedly due to a SQL injection vulnerability exploited by multiple parties, the exposed data included usernames, email addresses and passwords stored as MD5 without a salt," it says.
Although DaFont does hash its users' passwords, the site used the outdated MD5 hashing algorithm to scramble passwor…https://t.co/UUgBL5HYt6— Yuri Frayman (@YFrayman) May 19, 2017
The hacker, unnamed, has spoken to ZDNet about this, telling it that he pulled the breach out of his bag because other people were boasting to have it and to test out his skills.
"I heard the database was getting traded around so I decided to dump it myself -- like I always do," the hacker reporters there, adding that it was "mainly just for the challenge [and for] training my pentest skills."
DaFont hack: Popular font sharing site's entire database of registered users exposed— Hazel Pulido (@HazelPulido) May 19, 2017
DaFont has not taken up any of its space on its homepage to alert users to this, and we could not find a mention on the FAQ either. ZDnet said that the firm has been uncommunicative, but it provided a statement to the INQUIRER.
"We have been made aware of vulnerabilities and we are actively working to fix them," a spokesperson said. "Some vulnerabilities had already been fixed before the ZDNet article. We have taken immediate measures to limit malicious access to user's accounts."
DaFont has a cool name, and some cool fonts, but it keeps its cards close to its chest. We couldn't find it on Twitter, and while we could have looked it up on Facebook we did not want to get bogged down in all the shit that goes on there or sign in just to get tracked up the wazoo.
Any pro designers feeling schadenfreude about the dafont hack: you prob. use sites that have been hacked: Tumblr, Dropbox, LinkedIn, Adobe.— Tilmann Hielscher (@tillepalle) May 19, 2017
Twitter users though, oh yeah they are commenting. µ
Presumably 'Richard' is your next security worry
Good news if the kids need a summer job
Welcome back, Zoinkerberg
That's another good reason not to see it