Toronto-based online entertainment startup Wattpad has notified its users that some of their data, such as email addresses, birth dates, IP addresses, and encrypted passwords, “may have been improperly accessed.”
Compromised data may involve email addresses, IP addresses, encrypted passwords, survey responses, and purchases.
Wattpad notified its users of the potential data breach via email yesterday, seven days after the company released a public statement acknowledging it was aware of reports that user data had been accessed without authorization, and declaring it was “urgently working to investigate, contain, and remediate the issue with the assistance of external security consultants.”
On Monday, the company said it would be resetting passwords and advising its users to change their passwords on other sites if they used the same passwords on Wattpad. Multiple Wattpad users BetaKit spoke with confirmed that they had not received communication from the company related to the breach, or the need to change their account password.
The email to users sent out Tuesday indicated that the compromised personal data may involve email addresses, data of birth and gender (if provided), IP addresses (upon sign up, if registered before 2017), profile display names, account name and “salted and cryptographically hashed passwords,” user survey responses (pre-2015), and lists of paid stories and chapter titles purchased by users.
“We recently learned that some of our user data may have been improperly accessed,” wrote Wattpad in the email it sent to users on Tuesday. “We have taken immediate action to contain and fix the issue, and we are continuing to investigate with assistance from external security experts.”Wattpad also acknowledged the information involved might include third-party account IDs, but not passwords, noting that “passwords associated with third-party accounts are not stored on [their] systems and are unaffected.”
“We want to stress that Wattpad does not store plain text passwords,” stated the email. “All Wattpad passwords are encrypted.” Wattpad also emphasized that user stories, private messages, and phone numbers were not involved.
The company added that, “based on the investigation to date,” user financial information was not affected because it is not stored on affected systems.
Founded in 2006, Wattpad’s online self-publishing platforms act as a community for readers and writers.
Wattpad’s email to users on Tuesday follows reports that Cyble, a cybersecurity intelligence firm based in Georgia, detected a Wattpad data breach in the first week of July and received information regarding approximately 270 million user records being sold for 10 bitcoins, or approximately $100,000 at the time. Cyble noted that the data was later being offered for free.
Wattpad reported in August 2019 that it has 80 million monthly users.