‘Fax Express’ Has Leaked the Credentials of Half a Million of Its Customers

• A fax machine vendor from the US was included in last month’s humongous Cit0day leak.
• There are 560,000 records in the database containing email addresses and passwords in plain-text form.
• The company has not responded to the notifications and has failed to inform its customers of the compromise.

The New Jersey-based fax machine reseller ‘Fax Express’ has leaked the email addresses and passwords of about 560,000 of its customers. The event happened through a database leak included in the “Cit0day.in” packs that saw the light last month. Unfortunately, everything in the database was unencrypted, so the passwords are in plain text form.

‘Fax Express’ never realized the breach or simply chose not to disclose it when it happened. Additionally, the firm failed to respond to the researchers of CyberNews, who attempted to contact them on November 16, 2020, to inform them about the involved risks. Maybe they should have tried sending them a fax.

With the database leaked and under active exploitation for over a month already, all that can be done now is to inform those who may have been at risk. The eight domains connected to the Fax Express firm are the following:

• shredderstoo.com
• faxexpress.com
• andshredderstoo.com
• copierstoo.com
• printerstoo.com
• andprinterstoo.com
• copiersexpress.com
• 4copiers.com

It is possible that the data was sourced from more than one of the above since the number of the records is large enough to assume that this isn't just from a single domain. Thus, if you have bought a fax, printer, copier, or scanner, or shredder from one of the above websites, consider your credentials compromised.

That practically means you should reset your passwords on other online platforms where you could be using the same. Additionally, you should treat incoming emails with extra caution, as phishing actors or scammers may attempt to trick you. Someone could approach you by claiming to know your password and threatening you with various concocted scenarios. Don’t take the bait.

As for the “fax” element of the story, we would suggest that people with email addresses finally jump to computer software solutions. Using obsolete tech hasn’t served you well in this case, and by looking at the outdated website of the vendor, it is clear that they aren't paying much attention to security.

Next time you are legally obliged to use a fax, ensure that the marketplace you’re buying the machine from hashes and salts your passwords properly. Ideally, go out and buy the thing from a physical store.