CashCrate Hacked: Cash-For-Survey Site Breached, 6 Million Accounts Stolen

CashCrate, a website where users could complete surveys in exchange for money, has been hacked and more than 6 million accounts and passwords have been stolen.

The hack, which was confirmed by Motherboard, includes a considerable amount of information about CashCrate users. The breached database contained names, email addresses, passwords and physical addresses associated with the stolen accounts.

Read: DaFont.com Hacked: Nearly All Usernames And Passwords From Popular Font Sharing Site Stolen

While no hack is particularly good for those involved, the CashCrate breach revealed the site’s ongoing lack of proper security protocols to protect its user information — an issue that dates as far back as 2006 for the survey site.

Accounts created at CashCrate after 2010 have their passwords hashed, a process that converts passwords into an unreadable string of text. However, they are hashed using the MD5 algorithm, which is known for being relatively easy to crack.

A previous breach at font sharing website DaFont.com also involved passwords hashed using the MD5 algorithm. In that breach, the hacker was able to decrypt more than 98 percent of all passwords in the database.

Should the hackers who gained access to the CashCrate database want to, they would likely be able to crack the hashing scheme used to protect the passwords and reveal the passwords in plaintext.

For users who created accounts before 2010, no such crack is necessary to access the plaintext password. CashCrate stored user passwords without any such protection, meaning the hackers have immediate access to the passwords associated with those accounts. The breach includes accounts that were registered as early as 2006.

Read: OneLogin Hacked: ID Manager Database Breached, User Information Compromised

Exposed passwords present a serious problem for any user who has reused the password associated with their CashCrate account for another service. With their name and email address available in the database, it’s easy for a person to cross-reference previous breaches or attempt to log into the user’s accounts using the exposed password.

Users who may have been exposed in the CashCrate hack are advised to change their passwords for any accounts that may share the same password as their CashCrate account.

In addition to the lax password hashing habits of CashCrate, the site also lacks basic web encryption throughout — including on its login page — which means any malicious actor could potentially intercept sensitive data as it is being exchanged between the user and the unsecure site.

CashCrate said all user accounts created after 2013 have their passwords hashed and salted — a security measure that inserts additional random characters into the password to make it more difficult to crack. The company told Motherboard it was unaware why older passwords did not have such protection.

"We're in the process of notifying all our members about the breach. While we're still investigating the cause, at this point it appears that our third-party forum software was compromised, which led to the breach. We've deactivated it until we're confident it's secure," a spokesperson for the company said.