On April 29, 2016 MOTHERBOARD alleged that a hacker (self-named “Peace”) was advertising for sale on the dark web a cache of email addresses, inadequately secured stored passwords, phone numbers and relevant data on user’s phone model and operating systems that was illegally obtained from the photo sharing and video streaming app called “17”.
The hacker “peace” was in contact by way of an encrypted chat with MOTHERBOARD and claimed the information was allegedly stolen via an app server, not the company website. In an effort to verify the veracity of the hacker’s claim MOTHERBOARD obtained a small sample of data along with Peace’s listing. MOTHERBOARD was in fact able to reach some of the victims directly from the obtained data and verify that many of the user names matched active accounts using “17”.
Furthermore, it was learned that the 17 user passwords were hashed using the infamously weak MD5 algorithm. MOTHERBOARD was easily able to crack the 17 user’s full passwords with just the assistance of simple online (hacking) tools, which further verified the hacker’s claims.
The co-founder of the 17 app, Popo Chen was contacted by MOTHERBOARD via email alerting them of the cyber breach. The 17 co-founder responded via email saying, “We take every threat to personal user data and security with the utmost priority.”
However, Chen would not confirm for MOTHERBOARD the veracity of the information presented to them regarding the hack. When MOTHERBOARD tried to confirm the number of users 17 had at the time the cyber breach occurred Chen would not respond to that inquiry. A few days later Chen told MOTHERBOARD that the company was in the process of buying the data from the hacker (Peace).
Unfortunately, at the time that MOTHERBOARD published the data breach news on its site the hacker had already sold the data twice and had another sale pending. The stolen data was being sold on the dark web for just under $150.00 in bitcoin.
Because there is no other information available at the time of this writing on the response from 17 as to how, or if they have notified its users, it is advisable for anyone who has installed the app to immediately change their user name and pass word. If you have used the same user name or password for any other sites you should change them as well.