Evite invites over 100 million people to their data breach! All users should change their passwords since personal data was sold on the Dark Web.
The data breach monitoring service Haveibeenpwned.com has added a database dump of almost 101 million Evite users who had their information exposed when attackers gained unauthorized access to their servers, reported by Bleeping Computer.
In May 2019, Evite posted a data incident notice that disclosed an unauthorized third-party had gained access to their servers starting on February 22, 2019 and were able to access member’s personal data. No financial information or social security numbers, though, were part of the breach.
“Potentially affected information could include names, usernames, email addresses, passwords, and, if optionally provided to us, dates of birth, phone numbers, and mailing addresses.”
At the time, it was thought that approximately 10 million users had their information exposed as an Evite database with that amount was being sold on an online underground marketplace by a person named “gnosticplayers”. This same person was also involved in selling various large collections of data breaches.
According to a database received by Have I Been Pwned, the amount of exposed users is allegedly much larger. HIBP states that the database they received consists of 100,985,047 unique Evite users, with the data exposed being the same as what was disclosed in the original breach notification.
“In April 2019, the social planning website for managing online invitations Evite identified a data breach of their systems. Upon investigation, they found unauthorized access to a database archive dating back to 2013. The exposed data included a total of 101 million unique email addresses, most belonging to recipients of invitations. Members of the service also had names, phone numbers, physical addresses, dates of birth, genders, and passwords stored in plain text exposed. The data was provided to HIBP by a source who requested it be attributed to “JimScott.Sec@protonmail.com”.”
Not known if being sold online
The original leaked database was being sold on the online underground market named Dream Market. This site has since been shut down, so it is not currently known where or if this larger Evite database is being sold online as well.
Due to the large amount of exposed users, anyone who has an Evite account is advised to change their password. Furthermore, if you use that same password at other sites, you should change it there as well to prevent them being used in credential stuffing attacks.
BleepingComputer has contacted Evite and JimScott.Sec@protonmail.com with questions about this database, but have not heard back at the time of this publishing.
Update 7/17/19: Jim Scott got back to Bleeping Computer and told us that the original 10 million accounts originally being sold contained all information. The other 91 million only included email addresses.
Abrams, Lawrence. (2019, July 15). Evite Invites Over 100 Million People to Their Data Breach. Bleeping Computer.