Exterminator

Community Manager
Staff member
Verified
Details for over 43 million users have been stolen from the Weebly website building service, according to data breach index service LeakedSource, which announced today that they indexed a copy of the stolen data they received from an anonymous source.

Based on details found in the stolen data, LeakedSource estimates the breach took place in February 2016. The data breach index service also says that Weebly confirmed the breach.

"Unlike nearly every other hack, the Co-founder and CTO of Weebly Chris Fanini fortunately did not have his head burried deeply in the sand and actually responded to our communication requests," a LeakedSource spokesperson said today. "We have been working with them to ensure the security of their users meaning password resets as well as notification emails are now being sent out."

Weebly confirms data breach, has already started password resets
In a statement to Softpedia, a Weebly spokesperson confirmed the hack and detailed the company's next moves.

"Weebly recently became aware that an unauthorized party obtained email addresses and/or usernames, IP addresses and encrypted (bcrypt hashed) passwords for a large number of customers," the statement reads.

"At this point we do not have evidence of any customer website being improperly accessed," Weebly added. "We do not store any full credit card numbers on Weebly servers, and at this time we’re not aware that any credit card information that can be used for fraudulent charges was part of this incident."

Weebly also tells Softpedia that they've started notifying customers and already initiated password resets. The company has also implemented new password requirements and launched a new dashboard that gives customers an overview of recent log-in history of their Weebly account.

Furthermore, Weebly has brought in external security consultants to improve their systems. The full, unaltered Weebly statement is available at the end of this article.

Passwords are safe, for now
The good news, according to LeakedSource, is that all user passwords were stored in Weebly's database using uniquely salted bcrypt hashing and a cost factor of 8.

Weebly has changed each password's cost factor to 10 after discovering the security breach, making future passwords even harder to crack.

The exact tally of the Weebly data breach is 43,430,316 user records. Weebly boasts on its website of having over 40 million users, so the data breach was a near full compromise of the entire Weebly userbase.

Even if passwords haven't been cracked at the time of this article, it's still a good idea to head over to your Weebly account and change your password, just to be sure.