SEA hacks Forbes, steals and leaks 1M user records
Posted on 17 February 2014.
Business news site Forbes and its registered users are the latest victims of the Syrian Electronic Army (SEA) hacker collective, which proved that they have broken into the company's network and took off with a database containing over 1 million user and some Forbes' staffers records.

"Forbes.com was targeted in a digital attack and our publishing platform was compromised," the company behind the publication TEXTconfirmed shortly after the revelation, and warned: "The email address for anyone registered with Forbes.com has been exposed. Please be wary of emails that purport to come from Forbes, as the list of email addresses may be used in phishing attacks."

They also added that the passwords were encrypted, but that users would do well to change them anyway once sign-on is made available again.

After initially claiming that they would sell the database, SEA hackers changed their minds and made it available for public download.

Sophos' Paul Ducklin and his colleagues managed to get their hands on the file, and discovered that the records contained usernames, encrypted password data, users' full names, email address, and more.

They have analyzed the data, and discovered that the passwords were not encrypted, but salted and hashed. "They use what's called PHPass Portable format," shared Ducklin, and explained how it works.

"You can 'work backwards' from the Forbes datatbase to recover the passwords, but you need a lot of computing power, or time, or both," he noted, and added the scheme is good if the users chose complex and long passwords.

But after they managed to crack the passwords belonging to Forbes staffers, it was clear that even they had used very poor passwords.

"Forbes did the wrong thing by getting breached in the first place, and by letting the SEA make off with its password database," Ducklin commented. "And while the the 8193-iteration MD5-based hashing system described is a little short of modern best practice (try a stronger hash that takes longer to calculate, with more iterations), it's better than Adobe's disastrous 'one key to encrypt them all' system.









Spotlight

The synergy of hackers and tools at the Black Hat Arsenal

Posted on 27 August 2014.  |  Tucked away from the glamour of the vendor booths and the large presentation rooms filled with rockstar sessions, was the Arsenal - a place where developers were able to present their security tools and grow their community.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Fri, Aug 29th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //