Antivirus Firm Avast Discloses Password Data Breach


Antivirus vendor Avast Software halted its support forum and is urging those who registered on the site to change their passwords following a data breach impacting about 400,000 of its users.

The Prague, Czech Republic-based antivirus vendor, known for its freemium antivirus software, is said to have approximately 200 million users. Avast Software CEO Vince Steckler said the website was attacked over the weekend and compromised user nicknames, user names, email addresses and passwords. Steckler said the attack was detected and contained quickly.

"We are now rebuilding the forum and moving it to a different software platform. When it returns, it will be faster and more secure," Steckler wrote. "This forum for many years has been hosted on a third-party software platform and how the attacker breached the forum is not yet known."

[Related: eBay Password Breach Prompts Security Best Practices Review]

Steckler said the passwords were protected using one-way encryption, meaning they were hashed but did not contain the additional salting security measure. "Even though the passwords were hashed, it could be possible for a sophisticated thief to derive many of the passwords," he wrote.

When the new forum is brought online, all users will be prompted to set new passwords, Steckler said.

No payment information was exposed in the breach, Steckler said. Avast has been an antivirus option for consumers. It sells a paid version of its software with support and additional features. The company introduced a business version in 2011 with a centralized administrative console and has been boosting efforts to reach consumers and businesses in the U.S. It currently makes its security software free for use in schools and libraries in the U.S.

Solution providers say the Avast forum, the eBay breach disclosed last week, and a spate of other password breaches should prompt users to change their passwords and never use the same one on multiple sites. Consider using a password manager to increase the password complexity and reduce the strain of handling many different account credentials.  

In addition to passwords, the additional user data exposed in the breaches is valuable to criminals. Users should be wary of suspicious messages that could signal a phishing attack, said Graham Cluley, a U.K.-based security analyst and consultant.  A hacker also can crack the encrypted user passwords using an automated tool and potentially gain access to other accounts using the same credentials, Cluley said.

"To Avast’s credit, it does appear to have promptly responded to the attack, shutting the forum and emailing users who might be affected by the security breach," Cluley said. "Compare that to eBay’s recently exposed tardy efforts in response to its own hacking attack."

Businesses are also responding. Firms are increasingly turning to increased monitoring and profiling of employee access and system behavior, said Eldon Sprickerhoff, founder and chief security strategist at Cambridge, Ontario-based managed security services provider eSentire. Employees, either by unintentional lapses or maliciously, end up at the core of a wide variety of breaches.

"You can't rely on technology to do everything, but if your concern is a specific set of data, you have to proactively build systems that make it difficult for an attacker to get at everything," Sprickerhoff said. "You can use encryption or tokenization or segment systems so if criminals exploit one piece they don’t get the keys to the kingdom." 

PUBLISHED MAY 27, 2014