In february 2020, I received an email from Netflix that I had signed up for an account. This was to an email address that is completely unique to beeradvocate (as is the custom I do with many sites I sign up for). Someone had registered a new Netflix account with my email / password associated with my BeerAdvocate account. This email address & password combination has existed only in two places: my memory and beeradvocate's database. Not even a password manager.My going in position when contacted was that this would be yet another case of someone unfairly misattributing a breach to an organisation based purely on what they believe to be a unique email address or password being used in a way they didn't expect. I see this all the time and I literally have a blog post in progress titled "Has a Site Been Breached Because I Received an Email to an Address Unique to Them?" It details many different reasons for this behaviour that are entirely unrelated to a breach and in my experience, there is almost always a non-breach explanation. But not this time.
Plugging the email address in question into HIBP resulted in only a single hit:Unverified breaches are incidents where the data is legitimate (for example, people's real email addresses and passwords), but I haven't been able to confirm the legitimacy of the source. Per the description in the breach above, that incident definitely had data that could be traced back to both Coupon Mom and Armor Games, but what else might be in there? I pulled out the original breach and searched for "beeradvocate". 816 rows came back:
Well that's... damning. You simply don't have that many matches without there being a very high likelihood BeerAdvocate had suffered a data breach. For every one instance of an email address or password with the string "beeradvocate" in it there'll be another 100 instances that still came from their service but didn't use a customised email alias or (let's face it) very poorly chosen password. On the balance of evidence, they had indeed been breached and their data rolled in with at least the two other organisations into what was now effectively a credential stuffing list.
On Friday, BeerAdvocate / Next Glass contacted impacted customers and published a public disclosure notice:
After a thorough investigation from an independent third party cyber security firm, it was confirmed that BeerAdvocate user login credentials (email address, BeerAdvocate forum password) were lost and aggregated along with breaches of other websites into a breach dataset that became known as CouponMom 2014.I'd argue that they're not lost, instead there's actually a lot of backups of them! They dated the breach back to "seven or eight years ago" and stated that "a since-retired password hashing method allowed some passwords to be derived". They don't state which algorithm was used, but it's a safe bet it was MD5 or SHA-1 which was already pretty fundamentally flawed by that time. I personally would have approached a number of things around this incident differently, but Next Glass still deserves some kudos for taking the concerns of the individual who raised this seriously and seeing it through to its conclusion, especially given they inherited this breach by virtue of the BeerAdvocate acquisition.
Just one more thing - I've often been asked why I don't discard the source data of a breach once processed and email addresses loaded into HIBP. Putting aside the fact that discarding it doesn't actually make it go away (a quick search found this data still being extensively traded), historical breaches can be enormously useful in establishing the origin of subsequent breaches. This incident exemplifies that and without ready access to this data I don't know that BeerAdvocate would have established the breach, notified their customers and given them the opportunity to go and change that same one password they use across all their other accounts...
Cheers! 🍺Have I Been Pwned Security