SEA hacks Forbes, steals and leaks 1M user records
Posted on 17 February 2014.
Business news site Forbes and its registered users are the latest victims of the Syrian Electronic Army (SEA) hacker collective, which proved that they have broken into the company's network and took off with a database containing over 1 million user and some Forbes' staffers records.

"Forbes.com was targeted in a digital attack and our publishing platform was compromised," the company behind the publication TEXTconfirmed shortly after the revelation, and warned: "The email address for anyone registered with Forbes.com has been exposed. Please be wary of emails that purport to come from Forbes, as the list of email addresses may be used in phishing attacks."

They also added that the passwords were encrypted, but that users would do well to change them anyway once sign-on is made available again.

After initially claiming that they would sell the database, SEA hackers changed their minds and made it available for public download.

Sophos' Paul Ducklin and his colleagues managed to get their hands on the file, and discovered that the records contained usernames, encrypted password data, users' full names, email address, and more.

They have analyzed the data, and discovered that the passwords were not encrypted, but salted and hashed. "They use what's called PHPass Portable format," shared Ducklin, and explained how it works.

"You can 'work backwards' from the Forbes datatbase to recover the passwords, but you need a lot of computing power, or time, or both," he noted, and added the scheme is good if the users chose complex and long passwords.

But after they managed to crack the passwords belonging to Forbes staffers, it was clear that even they had used very poor passwords.

"Forbes did the wrong thing by getting breached in the first place, and by letting the SEA make off with its password database," Ducklin commented. "And while the the 8193-iteration MD5-based hashing system described is a little short of modern best practice (try a stronger hash that takes longer to calculate, with more iterations), it's better than Adobe's disastrous 'one key to encrypt them all' system.









Spotlight

eBook: Cybersecurity for Dummies

Posted on 16 December 2014.  |  APTs have changed the world of enterprise security and how networks and organizations are attacked. These threats, and the cybercriminals behind them, are experts at remaining hidden from traditional security while exhibiting an intelligence, resiliency, and patience that has never been seen before.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  
DON'T
MISS

Thu, Dec 18th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //