Letterboxd Data Breach Exposes User Information in Movie Night Nightmare

The film fan social platform Letterboxd is warning users to change their passwords following a cyber attack that reportedly exposed user data including email addresses, employee data, and website content. 

In a security notice sent to Letterboxd members by CTO Karl von Randow, users were told that the company had identified "unauthorised access" on its systems and that "some data" may have been stolen by the threat actors.

“On February 15, 2024, we identified suspicious activity on one of Letterboxd’s staff accounts. We immediately blocked this unauthorized access, however, some data associated with a number of members (albeit significantly less than 1% of all accounts) was accessed during this time,” wrote von Randow.

The email goes on to explain the severity of the attack involving a staff member's account being compromised, allowing the hacker to access personal information like user email address as well as ‘private’ information including lists made on the platform. The statement clarifies that no passwords or financial information was compromised. 

“Staff accounts allow access to support tools, including a tool that exports information for an individual member. The information accessed for each of the affected members included their email addresses, private lists, private watchlists (if enabled), and deleted content.

"No accounts (other than the staff member’s) were signed into, no data was changed, and no passwords or financial information was accessed. Unfortunately, we’re not able to determine which accounts had their data accessed,” the letter to users added.

Letterboxd's Response and Recommendations

The company acknowledges the seriousness of the incident, to conclude the letter Von Randow apologizes and explains the steps being taken to by Letterboxd prevent future issues. He also advises that users enable two-factor authentication for the best account security.

“We would like to apologize to our community for this breach. At Letterboxd, the privacy and security of members is our top priority. To this end, we have put several mitigations, improvements and additional security measures in place to prevent such unauthorized access from happening in the future.

"We recommend that all members use a unique, complex password and enable two-factor authentication for the best account security. If you have any additional questions about this incident please reply to this message,” the statement reads. 

Users who replied directly to Letterboxd's data breach email have reported that they have received a response from the company.

What is Letterboxd?

Letterboxd is a social networking platform for film fans where users can track and rate their latest watches, write reviews and engage with other users.

The site has over 10 million users from casual fans to critics, as well as celebrities including director Martin Scorsese and actress Ayo Edebiri. 

Why was Letterboxd cyber attacked?

Although the intention and the full extent of the damage are currently not certain, there's are a few reasons Letterboxd may have been targeted.

While less likely for a niche platform like Letterboxd, it's possible a specific user or group targeted the site for personal reasons. This could be someone unhappy with the platform or its policies, or even an attempt to disrupt the online film community.

User data, even seemingly innocuous information like email addresses and movie preferences, can be valuable for targeted advertising or identity theft. Sometimes, attackers compromise less secure accounts to use them as stepping stones to access more valuable targets.

The cyber attack on Letterboxd is just one of the many cyber attacks hitting the headlines this week, with NHS Dumfries and Galloway having significant amounts of patient data stolen whilst luxury boat and yacht seller MarineMax is struggling to stay afloat after a cyber attack pushed its IT systems offline earlier this week.