BitDefender fails to encrypt usernames and passwords

Leak exposes 250 users

BitDefender has compromised the details of around 250 users after a data breach revealed that it doesn't encrypt details of certain customers.

First reported by Forbes, the DetoxRansome group behind the hack showed that the usernames and passwords they pilfered were completely unencrypted. The passwords would have been incredibly hard to crack if encrypted.

The Romanian firm admitted that it found a potential security issue with one of its servers and said that a single application had been targeted, which is a part of its public cloud offering.

Attackers didn't penetrate the server but it explained that "a vulnerability potentially enabled exposure of a few user accounts and passwords." The number of passwords leaked was "very limited" and amounted to less than 1% of its small and medium sized business customers.

$15,000 ransom

"The issue was immediately resolved and, additional security measures were put in place in order to prevent it from reoccurring. As an extra precaution, a password reset notice was sent to all potentially affected customers," a spokesperson told Forbes. "This does not affect our consumer or enterprise customers. Our investigation revealed no other server or services were impacted."

News of the breach broke last week after DetoxRansome attempted to force BitDefender to pay $15,000 (around £9,629, or AU$20,639) or see the whole database leaked. Not many usernames and passwords were taken, however, the fact they were decrypted is a worrying one.