Users of Trakt — a service for “scrobbling”, or tracking the movies and TV shows you watch in the likes of Plex and Kodi — have received emails from the company notifying them of a data breach that took place way back in 2014.
Trakt says that although the security breach took place over four years ago, it only recently discovered it. The company says that an investigation is underway, but that it believes a “PHP exploit was used to capture data”, including users’ emails, usernames, encrypted passwords, names and locations.
The email starts by saying: “We are contacting you today because we have learned of a data breach that occurred back in December 2014. The breach involved some of your personal information such as username, email and encrypted password. Although this happened in 2014, we only recently discovered this, and wanted to promptly provide notice as part of our commitment to your privacy”.
Trakt goes on to reassure anyone who was paying for a VIP service that no payment information has been compromised. The company also says that as of January 2015 — without knowledge of the breach taking place — Trakt moved to a more secure version of its website which (seemingly accidentally) removed the exploit which previously existed.
The email explains:
THE GOOD NEWS
To any VIPs, no payment information was included in the breach. All payment data is securely held by payment processors and never within our own servers.
Next, in January 2015, we moved from version 1 of our site to version 2. In doing so, we removed any access outsiders had to your information and accomplished three key things to strengthen our security:
- We moved to a more secure algorithm for storing passwords
- Our platform change removed the exploit
- The new infrastructure has far tighter restrictions
Our investigation is ongoing, but we believe a PHP exploit was used to capture data from Trakt users.
Users who have been affected by the breach should receive a further email that includes a password reset link. Trakt says that as well as the on-going investigation, it is monitoring the site for further signs of suspicious activity.