to surface recently , hackers made off with 6 million accounts for CashCrate , a site where users can be paid to complete online surveys , according to a database obtained by Motherboard . In short , CashCrate connects users to companies that need people to test new products and services , or take part in daily surveys in exchange for cash . The data includes user email addresses , names , passwords , and physical addresses . Judging by timestamps in the stolen database , the earliest accounts date way back to 2006 , and come with full passwords . If a user signed up to another service with the same password , hackers could a ccess Attack.Databreachthe victim 's account on another site , as well as their CashCrate account . Accounts from mid 2010 onwards appear to have passwords hashed with the notoriously weak MD5 algorithm , meaning that hackers may be able to crack the hashes and o btain Attack.Databreachthe real login credentials . For-profit breach notification site LeakBase provided Motherboard with a copy of the CashCrate data . To verify that the data was legitimate , Motherboard attempted to create accounts with random email addresses included in the data . In every instance , this was not possible , because the email was already linked to an account on CashCrate . As an indication of CashCrate 's approach to cybersecurity , the site does not use basic web encryption , including on its login page , meaning that credentials could b e exposed Attack.Databreachto anyone in a position to i ntercept Attack.Databreachthem . `` We 're in the process of notifying all our members about the breach . While we 're still investigating the cause , at this point it appears that our third-party forum software w as compromised,Attack.Databreachwhich led to the breach . We 've deactivated it until we 're confident it 's secure , '' a CashCrate spokesperson told Motherboard in an email . `` We have also confirmed that any users who have logged in since October 2013 have passwords that are fully hashed and salted , and we 're looking into why some inactive accounts have plaintext passwords . Those will be hashed and salted immediately , '' the spokesperson added . The lesson : We all sign up to odd or random websites . If possible , it may be worth using a different email address for these more leftfield sites , or even creating dedicated addresses for each . That way , when a breach does occur , any fallout will be mitigated , and hopefully limited to only one or a few sites . That , and you should use a unique password for every site too .