Data belonging to users of American culture and technology news website Mashable has been leaked on the internet.
In a statement released Sunday, November 8, Mashable confirmed that a hacker had obtained a copy of one of its databases and published it online.
The site launched an investigation after learning of the attack on November 4. Mashable has temporarily disabled access to all accounts impacted by the security breach as a cautionary measure.
The exposed data is linked to a sign-in feature that is no longer in use on the Mashable website. Information leaked included first and last names, location data, email addresses, gender, date of registration, IP addresses, links to social media profiles, expired OAuth tokens, and the days and months on which users’ birthdays fall.
“This past Wednesday evening, November 4th, we learned that a hacker known for targeting websites and apps had posted a copy of a Mashable database to the internet,” said Mashable.
“Based on our review, the database related to a feature that, in the past, had allowed readers to use their social media account sign-in (such as Facebook or Twitter) to make sharing content from Mashable easier.”
Mashable stated that it does not require or store any financial data belonging to any of its registered users.
The site said that their ongoing investigation into the attack had so far found no evidence that user password data had been accessed by an unauthorized party.
The site asked users to be wary of any emails they receive that contain links to unfamiliar sites and to send any suspicious emails to them for investigation.
Users were also advised to confirm the authenticity of the emails they receive by other means such as over the phone.
“We appreciate your attention to this important topic and sincerely apologize for any concern or inconvenience this incident may cause,” said Mashable.
“Protecting our users’ data is one of our highest priorities. We are working hard to investigate the issue and prevent it from happening again.”
Mashable has not disclosed the identity of their attacker, but states that the hacker is “known for targeting websites and apps.”
This article originally appeared in InfoSecurity.
