Wappalyzer reveals data breach after hacker disclosed incident to customers

Wappalyzer, a company that specializes in software that uncovers technologies used on websites by detecting ecommerce platforms, web frameworks, server software and analytics tools, reported a security breach earlier this week after a cyber-thief sent emails to users.

It appears that the company became aware of the incident in January 2020, but it chose not to disclose it. Shortly after Wappalyzer customers received an email from the bad actor responsible for the breach, the company confirmed the incident to its clients in an email notification.

The hacker, calling himself CyberMath, told users that he is now selling the full database of Wappalyzer for 2000$ in cryptocurrency, and that he is available for additional communication and information.

“If you receive this e-mail it’s because we get the full database of Wappalyzer, and your e-mail is one the database. I’m selling the full .sql for 2000$ in Bitcoin, if you want more informations, contact me at this email,” said CyberMatch while also adding screenshots of the database files.

According to a screenshot of the e-mail notification received by ZDNet, Wappalyzer disclosed that, “on 20 January 2020 our database was compromised to a misconfiguration. No financial information or passwords were included in the breach. The issue has been resolved and our website is working normally.”

Company founder Elbert Alias also told ZDNet that the stolen information mostly consists of technographic data, but 16,000 email addresses and billing addresses of customers who requested a quote or placed an order prior to January 20 on their website may have been included in the stolen datasets.

“There is no action you need to take. If you requested a quote from our website before this date, your email address may have been included in the stolen data. If you placed an order on our website before this date, your billing address may also have been included in the stolen data. Some of our customers received an email from the perpetrator offering to sell stolen datasets. This data does not include personal information. If you receive such an email, mark it as spam and do not reply or click any links as it’s likely a scam,” said Wappalyzer.