Quizme, a popular Polish entertainment platform used for creating and sharing quizzes, exposed the sensitive data of over 60,000 users. The exposed information included email addresses, IP addresses, linked Facebook accounts, usernames, and passwords. Due to the platform using the outdated SHA-1 hashing algorithm, user passwords could be easily cracked by attackers.
The leak was discovered on June 25, 2024, by the Cybernews research team, who found an open web directory on Quizme.pl. This directory allowed anyone to access backups containing user data, quizzes, answers, and activity logs. In addition, the website’s private SSL certificate key was exposed, potentially allowing attackers to intercept and decrypt traffic.
The Quizme support team quickly responded to the breach after responsible disclosure. They attributed the issue to a configuration error and assured that the SSL certificate had been updated. However, they admitted that the scope of the issue could not be fully determined, given the platform’s limited resources.
Experts warn users to change their passwords immediately and ensure they are not reusing them across other platforms. Cybercriminals may leverage the leaked data to take over accounts, perform phishing attacks, or engage in credential stuffing. Quizme has advised users to enable multi-factor authentication where available.
Reference: