DaFont hack: Popular font sharing site's entire database of registered users exposed

Popular font sharing site DaFont's entire database of user accounts has reportedly been compromised by an unknown hacker earlier this month. ZDNet reports that the usernames, hashed passwords and email addresses of 699,464 registered user accounts were stolen in the hack.

Although DaFont does hash its users' passwords, the site used the outdated MD5 hashing algorithm to scramble passwords, which has proven to be easy to crack. The hacker told the tech site that he was already able to decrypt over 98% of the passwords into plain text.

Users that employ the seemingly routine, but extremely unsafe practice of using the same password across multiple platforms and services could risk having their other accounts compromised as well.

DaFont's database also included the site's forum data, private messages and other site information.

"I heard the database was getting traded around so I decided to dump it myself - like I always do," the hacker told ZDNet. The attacker said he did it "mainly just for the challenge [and] training my pentest skills."

To carry out the attack, the hacker said he exploited an "easy to find" union-based SQL injection vulnerability in the website's software.

IBTimes UK has reached out to DaFont for comment.

The hacker provided the stolen database to ZDNet and security expert Troy Hunt, the administrator of the breach notification site Have I Been Pwned, for verification.

Hunt's analysis found the database 637,340 unique email addresses. He also found 62% of those email addresses were already in his database from earlier breaches.

The confirmed email addresses found in the breach included several corporate accounts belonging to staffers at Microsoft, Google and Apple. Multiple accounts associated with government agencies in the US and UK were also found.