BreachExchange mailing list archives
After Adobe Hack, Other Sites Re-Set Passwords
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Tue, 12 Nov 2013 00:07:22 -0700
http://blogs.wsj.com/digits/2013/11/11/after-adobe-hack-other-sites-re-set-passwords/ Last month, Adobe announced hackers stole login information for some 38 million of its customers. Now Facebook and other Internet companies are worried their users might also be affected. The link: Internet users, despite repeated warnings, often use the same password across many different websites. So even if Facebook wasn’t hit by this round of cyberattacks, the Adobe hackers still might be able to break into Facebook member accounts with recycled passwords. The social media giant recently began requiring some members who it believes used the same passwords for their Adobe accounts to create new ones. And Amazon.com unit Diapers.com, which sells diapers and other baby products, also recently reset the passwords of some customers who it believed were affected by the Adobe attack, according to a customer email posted online. Microsoft said it is aware of the potential problem for some of its users and is “taking appropriate action,” a spokeswoman said, who didn’t elaborate. The efforts underscore the ways that online companies share risk in hacking attacks, and also together have to clean up from the fallout. “The attack against Adobe’s customer database illustrates the extreme risk and vulnerability we accept as we continue to depend on passwords to secure our personal information and keep us safe online,” said Michael Barrett, president of the FIDO alliance, a group of technology companies, including PayPal, Google and Lenovo. Adobe disclosed the hack last month and the massive trove of emails and encrypted passwords was available online. Security researchers have said they were able to decrypt some of those passwords. Some Internet companies are now scanning that list of Adobe email addresses and passwords on their own to see if their own customers used the same combination. “We know that there are going to be plenty of cases where those passwords were reused just based on knowledge of user habits across the Web,” Facebook spokesman Jay Nancarrow said. Affected Facebook users recently received a message that read, “Recently, there was a security incident on another website unrelated to Facebook. Facebook was not directly affected by the incident, but your Facebook account is at risk because you were using the same password in both places.” Amazon didn’t respond to requests for comment. Internet security experts long have warned consumers against employing the same password all over the Internet, a common practice according to studies. Companies generally store user passwords in encrypted form. The goal is that if their servers are breached, hackers will not have recovered users’ actual passwords, but instead a bunch of garbled text. Part of the problem is that the information stolen from Adobe was on a backup system that used a relatively weak form of encryption. This would make it easier for hackers to figure out users passwords. Adobe has used a harder-to-crack form of encryption for more than a year and the breached system was set to be decommissioned, a company spokesman said. The company has reset passwords for all of its users whose current login information was stolen in the hack, the spokesman said. Cybersecurity journalist Brian Krebs reported earlier on the Facebook user messages.
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: # OWASP http://www.appsecusa.org # Builders, Breakers and Defenders # Time Square, NYC 20-21 Nov o()xxxx[{::::::::::::::::::::::::::::::::::::::::> Risk Based Security (http://www.riskbasedsecurity.com/) Risk Based Security offers security intelligence, risk management services and customized security solutions. The YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.
Current thread:
- After Adobe Hack, Other Sites Re-Set Passwords Audrey McNeil (Nov 12)