SEA hacks Forbes, steals and leaks 1M user records
Posted on 17 February 2014.
Business news site Forbes and its registered users are the latest victims of the Syrian Electronic Army (SEA) hacker collective, which proved that they have broken into the company's network and took off with a database containing over 1 million user and some Forbes' staffers records.

"Forbes.com was targeted in a digital attack and our publishing platform was compromised," the company behind the publication TEXTconfirmed shortly after the revelation, and warned: "The email address for anyone registered with Forbes.com has been exposed. Please be wary of emails that purport to come from Forbes, as the list of email addresses may be used in phishing attacks."

They also added that the passwords were encrypted, but that users would do well to change them anyway once sign-on is made available again.

After initially claiming that they would sell the database, SEA hackers changed their minds and made it available for public download.

Sophos' Paul Ducklin and his colleagues managed to get their hands on the file, and discovered that the records contained usernames, encrypted password data, users' full names, email address, and more.

They have analyzed the data, and discovered that the passwords were not encrypted, but salted and hashed. "They use what's called PHPass Portable format," shared Ducklin, and explained how it works.

"You can 'work backwards' from the Forbes datatbase to recover the passwords, but you need a lot of computing power, or time, or both," he noted, and added the scheme is good if the users chose complex and long passwords.

But after they managed to crack the passwords belonging to Forbes staffers, it was clear that even they had used very poor passwords.

"Forbes did the wrong thing by getting breached in the first place, and by letting the SEA make off with its password database," Ducklin commented. "And while the the 8193-iteration MD5-based hashing system described is a little short of modern best practice (try a stronger hash that takes longer to calculate, with more iterations), it's better than Adobe's disastrous 'one key to encrypt them all' system.









Spotlight

Using Hollywood to improve your security program

Posted on 29 July 2014.  |  Tripwire CTO Dwayne Melancon spends a lot of time on airplanes, and ends up watching a lot of movies. Some of his favorite movies are adventures, spy stuff, and cunning heist movies. A lot of these movies provide great lessons that we can apply to information security.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Wed, Jul 30th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //