Lifestyle pin-up site Pinterest: Hack attempts blamed on 'credential stuffing'

You might just have to wing it with that potpourri recipe

There’s a chill going around cyberspace with an upsurge of people concerned that their Pinterest account has been hacked.

Searches for the term “Pinterest hacked” spiked last week while "pinterest password" started to trend on Twitter. UK security researcher Scott Helme recently reported that his Pinterest account had been temporarily frozen after someone attempted to log into his account, seemingly from Egypt.

"The worrying thing is that I use a @1Password generated password that isn't re-used on any other service, so I'm not sure how someone could have logged into my account," Helme said in a Twitter update.

Pinterest responded to Helme's inquiry on the incident by stating that accounts on the social networking site are being targeted using credentials leaked from third-party breaches.

Security researcher Troy Hunt (of haveibeenpwned fame) is unsatisfied with this explanation and claimed what he is has been seeing goes "well beyond password reuse and credential stuffing".

In Helme's case the breach incident related to an account he hadn't used for years. Helme accepted Pinterest's explanation of a credential-stuffing attack as plausible, if not definitive.

Helme explained: "I think I've just figured out the @Pinterest thing and it looks like it is most likely credentials being used from another breach. A while back (a few years) I changed my main email address and changed it on all the services I had registered it with."

He added: "Back then I either didn't or couldn't do that on Pinterest and must have registered a new account with my new email, leaving an old account lurking online, alone and unused," he added.

This old account had a unique password but one derived from a system Helme abandoned some years ago when he moved over towards using a password manager. "I honestly can't remember when I even last used Pinterest and I have 100s of more valuable accounts that someone would get access to if it was a browser extension or malware," he said.

Things have moved on for Pinterest too, which these days implements two-factor authentication.

Zendesk, the firm that handles the help desk emails for Pinterest (among others), admitted to a security breach four years ago. The customer service provider admitted that a hacker had downloaded email addresses for users who had got in touch with Tumblr, Twitter and Pinterest via Zendesk for support.

It is unclear whether fallout from this breach or something else is behind the security flare-up surrounding Pinterest.

The social networking site told The Reg:

Recently, some Pinterest users experienced suspicious activity on their accounts, likely due to their login information being exposed in past breaches of other websites. We immediately began working on securing accounts and notifying Pinners. To be extra cautious, we're proactively notifying users via email (and directing to our Help Center as well) whose data may have been compromised outside of Pinterest, to recommend that they reset their passwords.

We're also recommending Pinners sign up for two-factor authentication, which provides extra security and prevents vulnerabilities. As we use multiple techniques to secure accounts, we know the best precaution for people across platforms is to use strong and unique passwords.

Hackers often use leaked login credentials for one breach in attempts to hack unrelated sites on the basis that punters may have used the same password elsewhere on the web. This explanation doesn't fit with the ostensible appearance of people within the group who were were hacked who have said they used unique passwords.

Pinterest has been in touch to claim it has "not seen instances of users complaining of attacks while they have unique passwords", as well as dismissing the Zendesk breach as a plausible jumping off point for recent attacks on the social network. "The Zendesk breach did not involve password information, so that would not be a plausible source of this attack," a spokeswoman added. ®




Biting the hand that feeds IT © 1998–2018