Care2 has notified users of a security breach. In its FAQ, the online community said that it discovered the breach on December 27, but as of December 28, “We are currently unable to determine the full extent of the security breach.” The site is forcing a password reset and urging members to change their passwords on other sites if they re-use passwords.
A copy of the e-mail notification sent to members today was forwarded to DataBreaches.net by a recipient:
To All Care2 Members:
We have discovered that Care2.com servers were attacked, resulting in a security breach. The hackers were able to access login information for Care2 member accounts. Our team has worked to secure Care2.com against this type of attack from recurring.
To protect Care2 members we are resetting access to all Care2 accounts. The next time you login to Care2, you will be automatically emailed a new password, which will enable you to access your Care2 account as usual.
To recover your password, you can also visit our password retrieval form http://www.care2.com/go/z/e/Ag5Vq/zLzm/SxwU and enter your username or email. Your password will be emailed to you.
To secure your privacy, we highly recommend you immediately change your password for any accounts that share the password you previously used on Care2.
If you have any questions or concerns, please email us at: [email protected]
We sincerely apologize for this inconvenience. We take the security of our members very seriously and are taking these extreme steps to reduce the chances of any possible negative consequences.
Founder & President, Care2
Care2’s home page indicates it has 17,900,617 members, but the notification says that the hackers were (only?) able to access login information for a “limited number” of Care2 member accounts. I wonder what they consider “limited number.” And I wonder what other information the hackers acquired.
Significantly, perhaps, a number of commenters noted that they were surprised to learn of a breach involving their login information as they had never signed up for an account. An
administrator commenter replied:
To the best of my knowledge, anyone who has ever signed a petition at the Petition Site run by Care2, is automatically given a profile / account. That may be how many of you were added. Also, long ago, Care2 had a number of very popular newsletters, and people who subscribed to those were given profile pages when the newsletters were turned into groups. [See CORRECTION BELOW]
So I also wonder whether Care2.com ever sought or obtained consent to create profile pages for individuals who only signed up to receive a newsletter by e-mail.
And I wonder why they are reportedly e-mailing passwords to users in clear text.
CORRECTION OF 1-15-12: I erroneously attributed a comment above to an administrator. See Comment below.