ClixSense – a website that lets users earn cash for viewing ads and completing surveys – has suffered a major data breach compromising roughly 6.6 million user accounts.
On Sunday, ClixSense confirmed the incident on its HelpDesk forum, stating a hacker was able to access its database for “a short period of time.”
“He was able to gain access to this not directly but instead through an old server we were no longer using that had a connection to our database server,” read the announcement.
“[The hacker] was able to copy most if not all of our users table, he ran some SQL code that changed the names on accounts to ‘hacked account’ and deleted many forum posts. He also set user balances to $0.00,” said ClixSense.
Fortunately, ClixSense said it was able to restore user balances, forum posts and many account names. As a precautionary measure, users were required to change their passwords.
“If by chance you have used the same password here as other services (such as your email, Paypal or another PTC, etc.), please make sure you change these passwords too,” urged ClixSense.
Nonetheless, the notice failed to mention the extent of the data breach or that users’ personal information had been compromised. Instead, the announcement attempted to assure users their information was now “much more secure.”
“What does this all mean? Simply put, your ClixSense account information is now much more secure . . . . [The incident] has taught us that regardless of what you do to stay secure, it still may not be enough.”
Meanwhile, according to Ars Technica, more than 2.2. million stolen records have been leaked online, including plaintext passwords, usernames, emails, home addresses, and other personal information.
Those responsible for the data dump are reportedly selling the remaining 4.4 million accounts at an undisclosed price, along with the ClixSense website source code.
The post advertising the stolen data on PasteBin.com, which was taken down one or two days later, noted most of the compromised personal information was current as of last month, with emails and other data updated even more recently.
“If true, that would make the data much more valuable than many of the recent leaks such as the one from Dropbox, which dates back to 2012,” warned Ars Technica.