Trapster.com, creator of a popular mobile application that warns users about speed traps, notified users this week that their passwords may have been exposed due to an attack.
The company released few details about the incident. In an e-mail, the company said it understood how the attack occurred and had already rewritten code to prevent it from happening in the future, but would not disclose what happened or when. It is not clear whether the hackers successfully captured any e-mail addresses or passwords, and there is nothing to suggest the information has been used, the company said.
“We believe it’s best to be cautious,” the company said. “So, we are telling users if they registered their account with Trapster, then it’s best to assume that their e-mail address and password were included among the compromised data.”
Launched in 2007, Trapster boasts more than 10 million users. While the company said it is notifying all its registered users, it also contends that the majority of the 10 million-plus users don’t register. As a result, the actual number of people affected by the breach is less than 10 million, the company told eWEEK.
As in the recent Gawker Media breach, security pros are advising users to change their passwords for other sites as well if they are identical to their Trapster password.
“Now, you may not care very much if your credentials on Trapster have been compromised and may think that not too much harm can come from that,” blogged Graham Cluley, senior technology consultant at Sophos. “But what if you use the same e-mail address/password combination on other Websites such as your Twitter account or Web e-mail address?”
“If hackers grab your password in one place, and you have carelessly used the same password elsewhere, then you could be on a dangerous road,” Cluley added.
In the Gawker case, the e-mail addresses and passwords of registered users were leveraged for a spam campaign on Twitter. When it was said and done, hundreds of thousands of Twitter accounts were compromised to send out spam pushing the acai berry diet with messages such as: “I lost 9 lbs. using acai! RT This! [link].”
“If you used your Trapster password on any other Website, you should change the password on that site as well, particularly if you used the same e-mail address with that site,” Trapster advised.
Trapster also offered advice on creating a strong password, including making it at least eight characters and avoiding the use of common words or phrases.
“As far as pursuing the perpetrator, we continue to look into this but are focused right now on our users,” the company said.