Image

“To verify that the data was legitimate, Motherboard attempted to create accounts with random email addresses included in the data. In every instance, this was not possible, because the email was already linked to an account on CashCrate,” the publication reported.Furthermore, Motherboard noted that CashCrate does not use basic web encryption, including on its login page, meaning that credentials could be exposed to anyone in a position to intercept them. In an emailed statement, the site said it’s currently in the process of notifying its members about the breach. “While we’re still investigating the cause, at this point it appears that our third-party forum software was compromised, which led to the breach. We’ve deactivated it until we’re confident it’s secure,” said a CashCrate spokesperson. "We have also confirmed that any users who have logged in since October 2013 have passwords that are fully hashed and salted, and we're looking into why some inactive accounts have plaintext passwords. Those will be hashed and salted immediately," the spokesperson told Motherboard.