A recent cybersecurity breach on Quizme, a widely used Polish quiz platform, has compromised the personal data of over 60,000 users. The breach exposed sensitive information, including easily decipherable passwords, putting users at risk of unauthorized account access and phishing attacks.
Discovery and Details of the Breach
On June 25, 2024, cybersecurity experts from Cybernews identified an unsecured web directory on Quizme.pl. This directory allowed external parties to list and access its subfolders and files without requiring authentication.
Within the directory were database backups containing email addresses, IP addresses, Facebook account links, usernames, and passwords of over 60,000 users. Unfortunately, the platform used SHA-1, an outdated and insecure hashing algorithm, to protect passwords. This makes them vulnerable to being cracked with modern computing technology.
In addition to personal data, the backups contained information about quizzes users took, their answers, and activity logs. Given that these backups were updated daily, the exposed information was current and only 24 hours old at most.
Risks and Implications
“Quizzes and responses can reveal a lot about participants’ interests and preferences,” noted Cybernews researchers. “Such data can be exploited for spearphishing attacks, where personalized malicious messages are sent to victims.”
Alarmingly, the breach also included the website’s SSL certificate private key, potentially enabling attackers to intercept and decrypt user communications through man-in-the-middle attacks.
According to Similarweb, Quizme.pl attracts about one million users each month and ranks among Poland’s top 1000 websites. Despite this, the website’s ownership remains unclear, as its privacy policy and related documents do not disclose this information.
Response and Recommendations
Following responsible disclosure of the breach, Quizme’s support team acted quickly to resolve the issue. “The problem stemmed from an outdated configuration and oversight by our developer, not from malicious intent,” they explained. “As a small website, we lack the resources to fully assess the breach’s scope.”
The team has since updated the SSL certificate and plans to notify affected users, advising them to change their passwords. Quizme also encourages users to ensure their passwords are unique across platforms and to enable multi-factor authentication wherever possible.
Potential Threats from Leaked Data
While it remains uncertain if malicious actors discovered the breach before Cybernews, exposed data could lead to account takeovers and other attacks. Threat actors may also analyze user activities for further sensitive information, perform credential-stuffing attacks, or use email addresses for phishing.
Cybernews researchers emphasized the added risk due to Quizme’s educational focus, noting that leaked data likely includes minors’ information, potentially related to school quizzes and activities.
Security Recommendations
Experts urge users to change compromised passwords immediately and ensure they are not reused on other platforms. Enabling multi-factor authentication can provide an additional layer of security.
For website owners, maintaining robust access controls is vital to safeguarding security infrastructure. In the event of a data breach, swift action should be taken to restrict access to sensitive data, reset compromised credentials, and notify affected users with clear instructions.
The incident highlights the need for Quizme to conduct a comprehensive security audit to strengthen its systems, given the weakness of its password-hashing methods.