The email goes on to explain that suspicious activity on Cerberus servers has been recently discovered and blocked, but that the user's account has not been compromised.
"However, the attacker(s) were able to gain access to usernames and encrypted passwords for a subset of our users. No other personal data (emails, device information, etc.) has been accessed," the team shared. "While the accessed passwords are encrypted, as an extra precaution we have immediately secured these accounts invalidating the current passwords."
The Cerberus team also issued a statement containing more details about the breach:
"The database was not accessed, password are hashed and uniquely salted multiple times there, and we will migrate to bcrypt soon," they said. "The attacker was able to access a legacy log file that contained usernames and SHA-1 hashes of passwords, that was generated by the app logins between March 1 and March 21."
The team has deleted the log file, stopped the legacy logging procedure, invalidated the passwords for the accounts present into the log and notified the users involved.
Only 3 accounts have been accessed (and notified of this), but they have reset the password of a total of 96564 accounts just in case. "As of March 26, none of the data obtained by the attacker was released publicly, that we know of," they concluded.
The three-people-team behind the app also confirmed that they are working closely with law enforcement on this matter, and that they will be sharing more news as it becomes available and safe to publish.