Promo.com, a video creation platform for businesses and agencies, has confirmed a data breach after bad actors posted a database containing 22 million user records on a hacking forum.
The award-winning video maker, which is partnered with social media venues such as Facebook and Instagram, allows users to create an unlimited number of promotional videos that can be shared online.
In a data breach memo, Promo.com announced that it became aware of the security incident on July 21, linking the breach to one of its third-party service providers.
“On July 21, 2020, our team became aware that a data security vulnerability on a 3rd party service had caused a breach affecting certain non-finance related Slidely and Promo user data,” the letter reads. “We immediately stopped all suspicious activity and launched an internal investigation to further learn about what happened.”
No financial data such as credit cards or billing information was exposed in the breach. However, personal identifiable information were accessed and exfiltrated by the attackers.
The compromised data was listed in the Promo Data Breach FAQ page, and includes first and last name, email address, IP address, approximated user location based on the IP address and gender, as well as encrypted, hashed and salted passwords to the Promo or Slidely account. However, “your Log in via your social media account was not affected,” the company added.
Promo.com underlined that it has completely removed the vulnerable third-party service, and that it has hired a cybersecurity firm to help enhance their protection and intrusion detection mechanisms to prevent future unauthorized access to their customer database.
Since hashed and salted passwords could be decrypted by cyberthieves, the company encourages users to immediately reset their Promo.com account password, along with any other accounts that share the same login credentials. As an additional precaution, users should also regenerate any social media login tokens, where possible.
A dedicated 24/7 support team may be contacted via firstname.lastname@example.org by any users who have questions or concerns regarding their account security.