Data from 640,000 accounts font website DaFont are on the street
Malicious persons managed to penetrate DaFont.com’s servers and steal the user data database. As a result, passwords, among other things, came out on the street. They turned out to be hashed with the weak md5 and therefore easy to crack.
It concerns the usernames, email addresses and password hashes of 699,464 accounts. In total, this concerns almost 640,000 e-mail addresses. Some users probably had multiple accounts. An anonymous source provided ZDNet with a sample of the data.
According to the person, the database was already traded on underground markets, after which he went to check DaFont.com himself and found that the site was vulnerable to attacks via SQL injection. After downloading the data, he managed to recover 98 percent of the passwords, due to the use of md5, which has long been known as a weak algorithm.
The data has also been added to the Have I Been Pwned site, where users can check whether their data has been exposed. DaFont.com administrators have not yet commented on the findings.