Mashable issued a statement on their website saying in part: This past Wednesday evening, November 4th, we learned that a hacker known for targeting websites and apps had posted a copy of a Mashable database to the internet. Based on our review, the database related to a feature that, in the past, had allowed readers to use their social media account sign-in (such as Facebook or Twitter) to make sharing content from Mashable easier…”.
Although it took Mashable a few days to confirm the breach, their straightforward response is commendable. They confirmed the breach, outlined what data was stolen, stressed that Mashable doesn\’t store financial data, and offered comfort that they don\’t believe any password data was breached. If these details remain the extent of the breach, and additional concerns don\’t come to light later, then this is a good example of how organizations should handle PR in the event of a data breach.
I’ll start with the fact that I think Mashable did a pretty good job after this breach – they took the right steps. They sent out messages warning their visitors of possible phishing campaigns. They were definitely trying to be part of the conversation and be involved with the situation.
That being said, Mashable should be more informed about using the correct terminology regarding this breach – it was not a “hacker,” this was an attacker, a criminal (or criminals). The attacker, ShinyHunters, definitely has been collecting a good portfolio of leaking databases. And while we can’t assume ShinyHunters is one person or more than one person, we do need to state what this ShinyHunters is – and that is NOT a hacker. A hacker does not steal and breach information and exploit it – that is criminal behavior. Hackers protect. Hackers let organizations know when they have vulnerabilities and to be aware of it so it can be corrected.
The Mashable breach represents another case where potentially important data has fallen into the attacker\’s hands. While there were apparently no passwords or financial information revealed, the personal information such as email addresses, names, locations, etc., could be very useful for an attacker looking to do targeted phishing emails or social engineering attacks.
There is always a lot of attention on breaches that reveal passwords or financial information, but there is a lot of other personal information an attacker can leverage, especially when they take the time and effort to engage in social engineering attacks. That\’s why even organizations that don\’t hold confidential PII need to keep their cybersecurity stack up to date, including behavioral analytics, to identify novel attacks before they turn into major data breaches.