SitePoint, a website that provides access to a wealth of web development tutorials and books, has disclosed a security breach this week in emails sent to some of its users.
The company has formally admitted to a breach after a hacker put up for sale a collection of one million SitePoint user details on a cybercrime forum in December 2020.
In a data breach notification this week, SitePoint confirmed an intrusion into its systems sometime last year.
“At this point, we believe the accessed information mainly relates to your name, email address, hashed password, username, and IP address,” the company said.
SitePoint has now initiated a password reset on all accounts and is asking users to choose new ones that are at least ten characters long.
The tutorials and books publisher believes that the stolen passwords are currently safe, as they have been hashed with the bcrypt algorithm and salted, which should make cracking the password strings to its plaintext version a pretty lengthy process for the time being.
“We recommend that you change passwords from any other websites that may be a duplicate of your SitePoint password, just as a precaution,” the company added.
The WayDev connection
SitePoint said that based on current evidence, the breach occurred after the attackers gained access to “a third party tool [they] used to monitor [their] GitHub account.”
“This allowed access through our codebase into our systems. This tool has since been removed, all of our API keys rotated and passwords changed,” the company said.
While SitePoint doesn’t mention this tool by name, it is most likely referring to a tool from Git analytics service Waydev, which disclosed a security breach last summer.
This same tool was also used to breach custom apparel vendor Teespring, whose data was also sold by the same hacker, in the same package, at the same time as the SitePoint data.