A hacker has obtained over 685,000 usernames and passwords for the popular free font site.
DaFont.com is probably the best known source of free fonts on the web – offering over 32,000 free fonts, some great and some examples of the worst font design ever committed. But ZDNet is reporting that earlier this month, a hacker gained access to its database and has stolen 699,464 user accounts – and has managed to crack over 98 percent of its passwords.
He downloaded the database, which also included all of the site’s forums – including private messages. The hacker supplied the database to ZDNet for verification, which they were able to do, and the the site Have I Been Pwned, which allows you to enter your email address and see if it’s in some of the hacked databases available on the web (mine appears in data stolen from Adobe, Dropbox and LinkedIn, apparently).
The hacker claims that others have also hacked the database, and are sharing it on the web – which is why he came forward. He says that it was relatively easy to access the site’s database using a 'union-based SQL injection vulnerability in the site's software’ and crack the hashed passwords, which had been encrypted using a deprecated MD5 algorithm.
The journalist who wrote the story says that he’s been attempting to contact the site’s owners – Rodolphe Milan and Nicolas Peton – but has been unable to do so.
Will the DaFont hack affect me
The hack will only affect you if you’ve registered an account on DaFont.com – which isn’t necessary to download fonts. Registering an account is required to comment on fonts or within the forum – or to upload fonts to the site. So font designers will be most affected by this.
If you have registered an account, there’s probably little to worry about unless you’ve said anything embarrassing in a private message – or you’ve used a username/email address and password combination that will also work on another site. If you have used that combo on other sites, go change them now.
If you're not sure if you've ever registered account, Have I Been Pwned will tell you if you're in the stolen database (and others too).
Adobe, Dropbox and Handbrake hacked
DaFont is just the latest company offering products or services for the creative community to be hacked. 2.9 million Adobe accounts were compromised in 2013. 68 million Dropbox passwords were leaked after a hack in 2016. And just last week, the free Mac encoding software Handbrake was replaced with a version including malicious code – which lead to source code from Code and Firewatch developer Panic being stolen.