Design Marketplace Minted Confirms Recent Data Breach
Minted, an online marketplace of crowdsourced art and graphic designs, this week confirmed that it was the victim of a data breach earlier this month.
Founded in 2007 and headquartered in San Francisco, the online marketplace holds regular design challenges in which thousands of independent artists and designers participate. Thousands of designs are submitted each week and marketplace visitors vote to help choose the winners, which end up being sold on the site.
Information on a security incident affecting Minted became public several weeks ago, when a hacking group referred to as Shiny Hunters started advertising user records stolen in multiple fresh data breaches, including information exfiltrated from Minted.
At the time, the hackers said they were in possession of 5 million user accounts, and were asking for $2,500 for the data.
Minted, which appears to have been alerted on the data breach only after the first reports emerged in online media, launched an investigation into the incident, and discovered that hackers were indeed able to breach its user account database on May 6, 2020.
The investigation revealed that the cybercriminals managed to compromise customer names, along with the login credentials to their Minted accounts, which include email addresses and passwords (hashed and salted).
Additionally, the hackers accessed the telephone numbers and billing and shipping addresses of users. For some of them, the date of birth was also exposed (for less than 1% of the impacted users).
“Based on our investigation to date, we have no reason to believe that the following information was affected: payment or credit card information, customer address book information, or photos or personalized information that customers added to Minted designs,” the company said.
Although the affected passwords were not stored in plain text, Minted is requesting customers to change passwords for their Minted accounts, as well as for any other online accounts for which the same email address and password combination was used.
“As always, customers should be cautious of any unsolicited communications that ask for personal information and avoid clicking on links or downloading attachments from suspicious emails,” Minted also says.
“End users will want to continue vigilance when it comes to spear phishing or targeted emails about their accounts. By sharing their password or some other sensitive information from the breach, a criminal’s email will entice them to open attachments or click on links related to these attacks and thus compromise their systems further. People need to make sure they are using different passwords for various sites and accounts. In the unfortunate event of a data breach, they only need to change the one password versus now being susceptible to attacks on their accounts on different sites because they used the same password,” James McQuiggan, security awareness advocate at KnowBe4, said in an emailed comment.