"We would like to inform you of a recent incident affecting the security of certain data hosted by one of our service providers.

What happened?

At the end of September, we were the victim of a social engineering attack targeting one of our employees. This highly sophisticated attack began on the Discord platform with the downloading of malware under cover of a game on the Steam platform, proposed by an acquaintance of our employee, himself a victim of the same attack.

Our security team took immediate action. Despite our actions, the attacker was able to exploit one of the stolen cookies to connect to the management interface of one of our SaaS providers. Thanks to this cookie, now deactivated, the attacker was able to extract, via our SaaS provider’s API, certain private information about you.

The information concerned is your first and last name, e-mail address, date of birth, billing address and credit card expiry date. It is important to note that no passwords or sensitive banking data have been compromised.

What actions have we taken?

As soon as this incident was discovered, we took immediate steps to secure our systems and took all necessary precautions to avoid future incidents. We have also reinforced the security protocols we apply with all our SaaS providers. Finally, we will be upgrading our internal systems to render compromised workstations harmless.

What can you do?

In the wake of this incident, please be very vigilant about the emails you receive, as they could be phishing attempts. In general, for all your accounts, we advise you to protect yourself by setting up multi- factor authentication (“MFA”).

To set up MFA on your Shadow account, please refer to the following

guide: https://shdw.me/HC-B2C-2FA

We are here for you

We sincerely apologize for the inconvenience and assure you that we are doing everything possible to ensure the security of your data.

If you have any questions or concerns, please do not hesitate to contact our customer service department at https://shdw.me/HC- B2C-Support Form

Thank you for your understanding and trust.

Best regards,

Eric Sèle, CEO, Shadow"

    • 0xD@infosec.pub
      link
      fedilink
      English
      arrow-up
      27
      arrow-down
      2
      ·
      1 年前

      These things are often saved in entirely different places, so no, that is not a stretch.

    • TimeSquirrel@kbin.social
      link
      fedilink
      arrow-up
      7
      ·
      1 年前

      Even if they got a password, you’d have to be incredibly stupid to store it in clear text on your database in 2023.

      • TORFdot0@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        arrow-down
        7
        ·
        1 年前

        It’s not exactly that hard to crack passwords from a hash anymore. I don’t know if shadow has MFA but you should assume that if all you have is a password that your account is already compromised.

        • httpjames@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          9
          ·
          1 年前

          It’s actually pretty difficult still if you’re using secure hashing functions like Argon2 and bcrypt because they’re hard on memory and computational power, meaning brute force attacks are pretty much infeasible, both due to hardware requirements and long hashing times.