Breaches & Changes: Seven Incidents that Remind Us About Password Integrity
July: The Dog Days Of Password Hacking
Hacking is certainly an ongoing phenomenon in this day and age. But, the month of July has been marked by an impressive number of high-profile password thefts. The details vary somewhat among the different incidents. In some cases, even obvious, good-faith efforts for good security were insufficient to keep the bad guys at bay. In each case, the impacted organization gave the same song and dance, calling upon its account holders to change passwords and to select those passwords carefully. Please feel free to sing along, when you know the words.
Santa Clara, Calif.-based Nvidia has temporarily shut down its online developer forum due to a likely breach of hashed passwords. The company is advising developers who use the forum to change any identical passwords that may be used elsewhere. An investigation is currently under way. The notice also says that the site does not request financial information or other sensitive data, indicating that any such requests purported to be from the company should be ignored. The interruption does not impact other Nvidia sites. Note to Self: Change password.
Android Forums has acknowledged that its servers have been compromised, exposing the site's database. A notice posted on the site says it's uncertain as to whether the data was actually downloaded and further indicates that the exploit has been identified and resolved by upgrading security on the server. Exposed information includes usernames, emails, hashed and salted passwords, registration IP addresses, user group memberships, infraction levels, last time online, last post date, post count and other details. The group's administrator says the action was most likely an email-harvesting attempt. User password changes are recommended.
Yahoo acknowledged the theft of more than 400,000 plaintext passwords that were subsequently posted on the Internet. While most of the passwords seem to have been taken from the Yahoo voice services, various industry sources are recommending that everyone with a Yahoo account immediately change their passwords. A group called the D33DS Company has been attributed as the source of the breach. The hackers are believed to have used a Union-based SQL injection to collect the data, and the group claims they posted the passwords as a high-profile way of making a point about Yahoo’s security and the state of information security, in general. Best advice: Change your password!
Formspring issued a blog post announcing a security breach in which approximately 420,000 password hashes were posted to a security forum. The post apparently did not contain usernames or any other identifying information. The group temporarily locked down its system and launched an investigation in which it determined that unauthorized parties had accessed one of its development servers to gain access to the data. According to a statement from the administrators, "We were able to immediately fix the hole and upgraded our hashing mechanisms from sha-256 with random salts to ... fortify security." What to do: Change your password.
Though details were somewhat sketchy, music site Last.fm acknowledged a leak of some user passwords in mid-July. But if there's such a thing as good timing for a password breach, this was probably it. The Last.fm incident was sandwiched among multiple higher-profile breaches. Aside from occurring within short succession of the aforementioned breaches, with around 420,000 passwords leaked, Last.fm pales in comparison, shockingly, to the hacks next up on our list. The company's advice? Okay, everybody now, in unison. "Change your password."
Finding love can be difficult for some of us. And for those of us in that category, why not pretend to be somebody else entirely? Our next stop in this cavalcade of password breaches involves dating site eHarmony. Earlier this month, the company acknowledged that "a small fraction" of its user passwords had been compromised. In this case, the small fraction reportedly involved 1.5 million hashed passwords. But given the monster-size database that eHarmony must have, that might actually be a small fraction. What's the advice? First, all the single ladies: "Change your password!" Now, the single gentlemen ... come on, fellas, you know the words.
Last but not least, social-networking powerhouse LinkedIn was tapped for approximately 6.5 million unsalted SHA-1 hashed passwords posted to the Internet at the beginning of July. It took the company a while to acknowledge the breach, but during the interim, multiple security experts contacted by CRN had already found their own passwords on the list. Because the passwords were hashed, there remained a bit of work to do in order to disclose the actual passwords, so the hackers published them publicly in order to use the buddy system. We don't need to tell you the advice this time. Right?