Silverpop's database exposed, deviantART email addresses leaked

DeviantART, the worlds largest social network for artists, has had one of their databases exposed. This latest breach comes in the shadows of McDonald's member database and Gawker database exposures in the past two days.

DeviantART notified its users via its newsletter and stated that "Silverpop Systems, Inc., a leading marketing company that sends email messages for its clients, told us that information was taken from its servers. This was probably part of a sweep by spammers. As a result, email addresses belonging to deviantART members were copied. Corresponding usernames and birth date may also have been removed ."  ".

The significance is that the database contained 13 million email address that are now in the hands of spammers who may now launch a new phishing scam against the members. DeviantART, via Softpedia, states that along with email addresses, birth dates and usernames may have been leaked but passwords were not compromised.

While this breach is not as dangerous as the Gawker exposure because passwords were not leaked out, it does continue the worrying trend of databases being compromised. For good measure, its always a good idea to create a strong password, one that has letters and numbers at minimum and if the system allows, symbols and case sensitive characters. 

[Update] We have been contacted by DeviantART who wanted to clarify a few issues that SoftPedia misreported:

"While we're not at liberty to provide any additional details due to the ongoing investigation, we do want to clarify a few inaccuracies: 1) Not all of our members were impacted. The ones who were received an email from the company. 2) We explicitly stated that it was Silverpop's servers that were breached - not deviantART's. None of our servers or other systems were compromised. "

Report a problem with article
Previous Story

McDonald's customer database hacked

Next Story

WP7 coming to Verizon and Sprint in January

80 Comments

Commenting is disabled on this article.

So far I haven't noticed an increase in spam e-mail, so there's no issue yet. My password isn't something simple or easy to guess, so my e-mail address and DeviantART account aren't at risk. The only way I can see it becoming an issue is if my inbox suddenly begins allowing spam e-mail in the through its filter.

I didnt get one and the email I used to sign up is exactly for this reason. So my inbox isn't spammed with crap. I dont even regularly check that address. No loss

Do they mean that passwords was encrypted with md5 has and therefore spammers only have hashes and not real passwords or they mean that they stored passwords hashes separately from user names and email addresses?

that's a lot of databases compromised with recent attempts on major sites and two Australian Banks having software "glitches" leaving customers with zero balances - I can see the internet becoming a war zone in the not too distant future...

Why are they not storing hasshes instead of encrypted/encoded/plain-text passwords.
I'm glad to see DeviantART at least not saving plane-text passwords.

Brian Miller said,
Why are they not storing hasshes instead of encrypted/encoded/plain-text passwords.
I'm glad to see DeviantART at least not saving plane-text passwords.

Only emails and birthdates were taken. No passwords, clear or encrypted or hashed were taken.

cybertimber2008 said,

Only emails and birthdates were taken. No passwords, clear or encrypted or hashed were taken.

I meant "they" as in general websites, not DeviantART. I'm glad the passwords could not be obtained from the DeviantART DBs

Hmm.. I never got an email from them... However, that will explain why I now have 2,865 emails in my spam box since yesterday evening until now. Make that 2,866 as I finish this last sentence.

lol, what's with this hacking spree lately...
And how come so many sites have so weak admin passwords?

This time around, I actually had a user on the hacked site. But I don't remember which mail address I used. I didn't get any mail anyway. Could've been my hotmail address then, which I no longer really use.

Great, my deviantart account of 7 years... being inactive since at least 5 years ago compromised my email account which I also haven't used in the last 5 years. Yet it still managed to send emails to everyone on a contact list which I gutted years ago... how the hell?

Ridiculous.

I got the email. I don't mind too much as my email's spam filter should do the job. At least deviantART have taken action and have decided not to use Silverpop any more.

It's a good thing that Gmail has some great spam detection. I still get a ton of fake Blizzard emails, and I don't even play WoW anymore.

These companies who's databases have been compramised should disclose how these hacks were done.

Maybe not publically, but work with security experts to prevent such things happening again

rtire said,
These companies who's databases have been compramised should disclose how these hacks were done.

Maybe not publically, but work with security experts to prevent such things happening again

+1 I for one would love that information and would help me secure my servers.

Never got an email.... but then, it's been so long since i used deviant art, im not sure which email address was signed up with

Shadrack said,
Names and DOB are the most alarming. More spammers getting my email doesn't seem to bother me as much these days.

At least they will know when to send me an ecard.

aarste said,
Only one source? And that source is from 9 hours ago too

How many sources do you need? The database was compromised, DeviantArt sent out an e-mail about it. Get the e-mail information and it's a fairly convincing article.

lunamonkey said,
Why were usernames and passwords in a marketing database?!!!!!!!!

edit : I mean date of birth, not passwords.

Birthdates are huge in marketing. Would a 41 year old care about the newest transformer gadget, and would an 8 year old care that the latest lexus gets 35MPG, and so on.

lunamonkey said,
Why were usernames and passwords in a marketing database?!!!!!!!!

edit : I mean date of birth, not passwords.


Are you serious? They use them to find your age, what you like...to find out what you want.
Even Google does that...

lunamonkey said,
Why were usernames and passwords in a marketing database?!!!!!!!!

edit : I mean date of birth, not passwords.

hmmm why indeed.

Blasius said,

Birthdates are huge in marketing. Would a 41 year old care about the newest transformer gadget, and would an 8 year old care that the latest lexus gets 35MPG, and so on.

well that's a load of crap! If marketing companies know my DOB, then why the eff have I been getting "enlargement" emails since I was 15?

Grunt said,

well that's a load of crap! If marketing companies know my DOB, then why the eff have I been getting "enlargement" emails since I was 15?

I think I've been getting them since I was even younger. Irritating...

Grunt said,

well that's a load of crap! If marketing companies know my DOB, then why the eff have I been getting "enlargement" emails since I was 15?

Maybe they have cameras in your bedroom too?

(kidding, of course).

Grunt said,

well that's a load of crap! If marketing companies know my DOB, then why the eff have I been getting "enlargement" emails since I was 15?

Ex-girlfriend spilled the beans? Lol. Kidding of course.

Grunt said,

well that's a load of crap! If marketing companies know my DOB, then why the eff have I been getting "enlargement" emails since I was 15?

Have you tried any of 'em? did you get impressing results?

ie9 said,
Never got an email...

I got mine yesterday. It definitely explains how a spamless inbox was suddenly full of it.

Eh cmon... i guess some new unknown exploit is floating around and now someone is all happy dumping SQL databases on compromised systems... kids...

Can someone explaing me whats the point except ****ing someone off and compromising privacy of random people? I mean they didnt get any money or any other valubles... so instead of doing the right thing and reporting vulnerability, they go and **** random people around.... grow up!

SoLoR1 said,
Eh cmon... i guess some new unknown exploit is floating around and now someone is all happy dumping SQL databases on compromised systems... kids...

Can someone explaing me whats the point except ****ing someone off and compromising privacy of random people? I mean they didnt get any money or any other valubles... so instead of doing the right thing and reporting vulnerability, they go and **** random people around.... grow up!

You clearly are confused. Hacking custom systems is not a 'kids' deal. Especially DeviantArt who is a monopoly at what it does. If even kids can do this, why can't you? You probably couldn't even use the LOIC application.

Glendi said,

You clearly are confused. Hacking custom systems is not a 'kids' deal. Especially DeviantArt who is a monopoly at what it does. If even kids can do this, why can't you? You probably couldn't even use the LOIC application.

because i stoped this kind of nonsense 10+ years ago after my high school lost internet for a week because some "stupidty" i tryed to do and got cought (actualy school got cought, but they instantly knew it was me anyway)... bottom line i learned my lesson the hard way....

And yes im sure they are more or less "kids", fact is when you are young and stupid, some of us learned how computers (and networking and coding) works with "experimenting", but sooner or later this things gets kinda boring and you move on and start to use what you learned for something else, unless you have some messed up life values that is... Bottom line there is not many 35-40 years old programmers (hackers) doing this kind of things, this is typical teen behavior.

SoLoR1 said,
Can someone explaing me whats the point except ****ing someone off and compromising privacy of random people? I mean they didnt get any money or any other valubles... so instead of doing the right thing and reporting vulnerability, they go and **** random people around.... grow up!

I'm pretty sure legitimate email addresses can be sold to spammers. Something like this would make the hacker a pretty penny.

SHoTTa35 said,
Seriously, WTF. Some many "hacks" going on lately. Gizmodo, McDonalds, DevianArt what's next AOL?

Neowin

SHoTTa35 said,
Seriously, WTF. Some many "hacks" going on lately. Gizmodo, McDonalds, DevianArt what's next AOL?

Microsoft Live Accounts

Yet another reason to use disposable email addresses and bug me not to gain access to websites that require registration to use them.

gdodson said,
Yet another reason to use disposable email addresses and bug me not to gain access to websites that require registration to use them.

Yes, because using a bugmenot to register an account is just as secure since everyone can access that same account...

Blasius said,

Yes, because using a << circumvention code >> to register an account is just as secure since everyone can access that same account...

As he said "use a disposable email address". I shouldn't need to register to download software drivers for instance. << circumvention code >> has its uses, and if you are using << circumvention code >> for your GMail account or a website like this to make comments on news, then you are obviously using it wrong.

Lol @ << circumvention code >>. Christ, Neowin. Really?

Shadrack said,
Lol @ << circumvention code >>. Christ, Neowin. Really?

That's why I had to add spaces. And Blasius, I wouldn't ever use my own email address to make a bug me not login. I only use accounts that others have made just to access a site. Why create an account for a website that I'm only going to visit once or twice?

John S. said,

me either, I'm betting they still have my old DeskMod.com (RIP) address

Don't forget that the mail server won't of got through all the email address's yet, which is why you might not have received anything.

YounGMessiah said,
I never got an email =/

I'm not subscribed to their newsletter, but they should have still emailed me. There isn't even a visible notice on their front page telling people.

Examinus said,

I'm not subscribed to their newsletter, but they should have still emailed me. There isn't even a visible notice on their front page telling people.

Nor am I, but I still received the e-mail.

Examinus said,

I'm not subscribed to their newsletter, but they should have still emailed me. There isn't even a visible notice on their front page telling people.


There you are. In addition to the paragraph quoted on the article,
We can assure you that nothing occurred on our systems with respect to this incident and no access was gained to private information on deviantART's servers.

As a member of deviantART, you certainly have a right to know when an incident of this kind occurs. Unfortunately spammers are an unavoidable part of living on the Web.

The likely result of this event might be an increase in spam to your email. Experts have told us that there is an increase in email scams out there on the Internet and you should be cautious. Only click links or download attachments from people you know, particularly if they ask for personal information, and be sure that your email service provider has adequate spam filters.

Because we value the information that members give us, we have decided not to rely on the services of Silverpop in the future and their servers will no longer hold any data from us.