"Forbes.com was targeted in a digital attack and our publishing platform was compromised," the company behind the publication TEXTconfirmed shortly after the revelation, and warned: "The email address for anyone registered with Forbes.com has been exposed. Please be wary of emails that purport to come from Forbes, as the list of email addresses may be used in phishing attacks."
They also added that the passwords were encrypted, but that users would do well to change them anyway once sign-on is made available again.
After initially claiming that they would sell the database, SEA hackers changed their minds and made it available for public download.
Sophos' Paul Ducklin and his colleagues managed to get their hands on the file, and discovered that the records contained usernames, encrypted password data, users' full names, email address, and more.
They have analyzed the data, and discovered that the passwords were not encrypted, but salted and hashed. "They use what's called PHPass Portable format," shared Ducklin, and explained how it works.
"You can 'work backwards' from the Forbes datatbase to recover the passwords, but you need a lot of computing power, or time, or both," he noted, and added the scheme is good if the users chose complex and long passwords.
But after they managed to crack the passwords belonging to Forbes staffers, it was clear that even they had used very poor passwords.
"Forbes did the wrong thing by getting breached in the first place, and by letting the SEA make off with its password database," Ducklin commented. "And while the the 8193-iteration MD5-based hashing system described is a little short of modern best practice (try a stronger hash that takes longer to calculate, with more iterations), it's better than Adobe's disastrous 'one key to encrypt them all' system.
Reading our newsletter every Monday will keep you up-to-date with security news.
Receive a daily digest of the latest security news.