PSA: Data Breach - Ulmon.com - CityMaps2Go App - 778k Accounts Affected

Bohlen on 08/05/2020 - 15:38
Last edited 09/05/2020 - 11:17 by 1 other user

Since this app deal has been posted here a lot over the years and are quite popular this may be of interest to a few people.

INFORMATION ON ULMON USER ACCOUNT DATA BREACH

Breach: Ulmon
Date of breach: 26 Jan 2020
Number of accounts: 777,769
Compromised data: Bios, Email addresses, Names, Passwords, Phone numbers, Social media profiles
Description: In January 2020, the travel app creator Ulmon suffered a data breach. The service had almost 1.3M records with 777k unique email addresses, names, passwords stored as bcrypt hashes and in some cases, social media profile IDs, telephone numbers and bios. The data was subsequently posted to a popular hacking forum.

Internet

Related Stores

ulmon.com
ulmon.com

Comments

  • djsweet on 08/05/2020 - 15:50
    +1

    Check here:
    https://haveibeenpwned.com/

    • Blue Cat on 08/05/2020 - 17:22

      Pwned on 10 breached sites and found 1 paste (subscribe to search sensitive breaches)

      Uh oh. Better check my bank accounts!

      • [Deactivated] on 08/05/2020 - 20:43

        I doubt this is reliable. My personal email has been pwned on myspace , yet I've never been on it. Weird.

        • djsweet on 09/05/2020 - 16:16

          I think its a case of if your email shows results on HIBP, you have definitely been pwned. But if your email doesn't show up it doesn't necessarily mean you haven't been pwned. While HIBP is the most exhaustive publicly available breach database it by no means contains all breached data ever in history.

  • zfa on 08/05/2020 - 17:33
    +2

    Password leaked as bcrypt hashes only should still be secure for those of you reusing passwords across services. Still, better safe than sorry and you should change the password if you use it anywhere else with the same email address.

    Heartilly recommend Bitwarden should this give anyone enough of a kick up the bum for them to consider using a password manager.

  • CheapieChippie on 08/05/2020 - 21:17

    Checked my email address. I'm not even sure what address I used to sign up… I definitely signed up for the free premium app thing, the pro version. Or maybe I didn't have to…

    I can't remember.

  • pinchies on 09/05/2020 - 02:15
    +1

    I'm not impressed with the way this company has handled this.

    • They did NOT post this on their blog (https://www.ulmon.com/blog) - this post is privately posted on https://www.ulmon.com/blogging
    • They did NOT inform users via email - I received a notification from @haveIbeenpwned, but no email from Ulmon.
    • There is NO notice on their website homepage about the event, or anything else I can find from them that links to that /blogging page.
    • They have not advised whether the hashed passwords were salted or not.
    • They make it sounds like the passwords are reasonably safe "only strongly bcrypt encrypted/hashed passwords have been stolen"

    Under the GDPR, they are required to notify users when there has been a personal data breach. (https://gdpr-info.eu/art-33-gdpr/)
    I do not consider a private blog post to constitute fair notification.
    I visited their website after this leak occurred looking for more information, and found nothing - and I even checked their blog!

    • zfa on 09/05/2020 - 08:47
      +1

      They have not advised whether the hashed passwords were salted or not.

      bcrypt is 'self-salting' but yeah, be good to know if they adding anything extra on top as that round only really prevents rainbow and hash table use, not brute-forcing. Then again, given the scope of the breach I'd assume the attackers had any stored salts too.

      You're right, dreadful comms, all round.

  • marka on 09/05/2020 - 20:33

    Sooo…. https://www.ozbargain.com.au/node/423349

Login or Join to leave a comment
Login Join