This story is over 5 years old.


Hackers Steal 6 Million User Accounts for Cash-for-Surveys Site

The data includes email addresses, passwords and physical addresses.

In one of the more bizarre data breaches to surface recently, hackers made off with 6 million accounts for CashCrate, a site where users can be paid to complete online surveys, according to a database obtained by Motherboard.

In short, CashCrate connects users to companies that need people to test new products and services, or take part in daily surveys in exchange for cash.

The data includes user email addresses, names, passwords, and physical addresses.


Judging by timestamps in the stolen database, the earliest accounts date way back to 2006, and come with full passwords. If a user signed up to another service with the same password, hackers could access the victim's account on another site, as well as their CashCrate account.

Accounts from mid 2010 onwards appear to have passwords hashed with the notoriously weak MD5 algorithm, meaning that hackers may be able to crack the hashes and obtain the real login credentials.

For-profit breach notification site LeakBase provided Motherboard with a copy of the CashCrate data.

To verify that the data was legitimate, Motherboard attempted to create accounts with random email addresses included in the data. In every instance, this was not possible, because the email was already linked to an account on CashCrate.

As an indication of CashCrate's approach to cybersecurity, the site does not use basic web encryption, including on its login page, meaning that credentials could be exposed to anyone in a position to intercept them.

"We're in the process of notifying all our members about the breach. While we're still investigating the cause, at this point it appears that our third-party forum software was compromised, which led to the breach. We've deactivated it until we're confident it's secure," a CashCrate spokesperson told Motherboard in an email.

"We have also confirmed that any users who have logged in since October 2013 have passwords that are fully hashed and salted, and we're looking into why some inactive accounts have plaintext passwords. Those will be hashed and salted immediately," the spokesperson added.

The lesson: We all sign up to odd or random websites. If possible, it may be worth using a different email address for these more leftfield sites, or even creating dedicated addresses for each. That way, when a breach does occur, any fallout will be mitigated, and hopefully limited to only one or a few sites. That, and you should use a unique password for every site too.

Another day, another hack.