Thousands exposed in hack of font sharing site DaFont

Over 98 percent of the passwords were cracked, thanks to the site's poor password security.

Zack Whittaker Writer-editor
Zack Whittaker is a former security editor for CNET's sister site ZDNet.
Zack Whittaker
2 min read

Usernames, email addresses and hashed passwords of more than 699,000 user accounts were stolen in the breach.

Getty Images

Popular font sharing site DaFont.com has been hacked , exposing its entire database of user accounts.

Usernames, email addresses and hashed passwords of 699,464 user accounts were stolen in the breach, carried out earlier this month, by a hacker who wouldn't divulge his name.

The passwords were scrambled with the deprecated MD5 algorithm, which nowadays is easy to crack. As such, the hacker unscrambled over 98 percent of the passwords into plain text. The site's main database also contains the site's forum data, including private messages, among other site information. At the time of writing, there were over half-a-million posts on the site's forums.

The hacker told ZDNet that he carried out his attack after he saw that others had also purportedly stolen the site's database.

"I heard the database was getting traded around so I decided to dump it myself -- like I always do," the hacker told me. Asked about his motivations, he said it was "mainly just for the challenge [and] training my pentest skills." He told me that he exploited a union-based SQL injection vulnerability in the site's software, a flaw he said was "easy to find."

The hacker provided the database to ZDNet for verification.

We verified a little over a dozen accounts by enumerating disposable email accounts with the site's password reset function. (We have more on how we verify breaches here.) In each case, the site validated the email address and was sent a new password (in plain text) to the disposable email account.

The hacker also provided the database to Troy Hunt, who runs breach notification site Have I Been Pwned.

Hunt's analysis of the database confirmed 637,340 unique email addresses in the database, with 62 percent of those email addresses already in his database.

While the hack of DaFont is far from the biggest data breach we've covered, it could still cause considerable headaches for a lot of people -- even if the free site didn't store any payment or other critically sensitive data. That's because this breach involves a huge trove of email addresses and passwords that could allow a hacker to break into other, more sensitive sites and services that share the same password.

In the case of corporate accounts, that could lead to further data breaches of sensitive and confidential business files. Among the confirmed email addresses we found in the breach, several accounts belonged to Microsoft, Google and Apple corporate accounts.

Dozens of accounts were also associated with UK and US government agencies.

We made several attempts to contact the site's registered owners, Rodolphe Milan and Nicolas Peton, but our emails and voicemails weren't returned in the days prior to publication.

Anyone thought to be affected by the breach can now search for their data in Have I Been Pwned.

This story originally posted as "Font sharing site DaFont has been hacked, exposing thousands of accounts" on ZDNet.

Tech Enabled: CNET chronicles tech's role in providing new kinds of accessibility.

Batteries Not Included: The CNET team reminds us why tech is cool.