Data leaks at Stratfor and Care2 mark the end of a year riddled with data theft

Filed Under: Data loss, Featured, Podcast, Privacy

2012 aheadWas 2011 the year of the data leak? Could be, but it is hard to tell.

From my vantage point writing daily about the most important stories in information security, data theft may not have been the most important story of 2011, but it certainly impacted more regular people and raised their awareness about the problem of all of their data being "in the cloud".

I shared my thoughts on this today with John Moe on Marketplace Tech Report from American Public Media in the United States.

Marketplace logoYou can listen to my thoughts on 2011 alongside John Moe, Jonathan Zittrain, Susan Crawford and Danah Boyd in this four minute podcast.


(30 December 2011, duration 4:00 minutes, size 1.9 MBytes)

While Anonymous/LulzSec dominated the data breach headlines, what became clear was that more and more organizations are collecting data about us and doing a poor job of protecting that information.

Compliance rules like HIPPA/HITECH, PCI and others are not really having their intended impact as health records, credit cards, passwords, birth dates and more were all stored insecurely on often woefully unpatched systems.

Datalossdb.org logoThe number of records stolen was enormous. Sony alone was hacked more than 20 times and lost over 100 million records.

The bulk email marketing company Epsilon leaked names and email addresses from some of the world's most trusted brands like Best Buy, Marks & Spencer, Marriott Rewards, Walgreens and Chase Bank.

South Korean social media users were hit hard when Cyworld and Nate were compromised (both owned by SK Communications) and hackers made off with more than 35 million records.

Like video games that aren't related to Sony? Chances are your data was leaked when the Steam user forums were breached or when Square Enix was hit twice in 2011.

Citibank credit cardCitibank credit cards users had card information compromised affecting more than 200,000 people as well as customers of handmade cosmetics company Lush.

Of course the biggest story at the end of 2011, wrapping up the year of unsecured data has been the attack Anonymous made on Stratfor.

Stratfor, a company focused on security intelligence services, was attacked by Anonymous who have allegedly acquired 75,000 addresses, credit cards and names of their customers and then posted them publicly.

Sadly it seems companies still aren't learning the lesson of protecting their customers information, even after all of these headlines and millions of dollars in lost reputation to the companies involved.

It was brought to my attention that Care2.com's website was hacked revealing usernames and passwords for the sites nearly 18 million users.

Naked Security reader Bob emailed us to point out that Care2 is storing passwords insecurely.

Care2 logoRather than storing passwords as a salted cryptographic hash that would not reveal their customers passwords if stolen (or make it much more difficult) they are storing them either in plaintext or in a reversible format.

According to the companies own FAQ about the data breach "Q. What can I do to recover my password?
A. Visit http://www.care2.com/retrieve_password Enter your user name or email address in the green box titled “Forgot your password or log-in name?” Your password will be emailed to you."

Care2 FAQ

Really!? After the attackers made off with all of your customer information you still are following the same insecure practices that put your customers information at risk in the first place?

Where does this leave us? Think carefully about who you share personal information with, and before doing so carefully weigh whether they need that information or not.

And for the sake of all of your digital presence use unique passwords for every site you access. There are great tools to help you like Keepass or LastPass.

To quote American folk singer Pete Seeger "When will they ever learn? When will they ever learn?".

, , , , , , , , , , ,

You might like

9 Responses to Data leaks at Stratfor and Care2 mark the end of a year riddled with data theft

  1. Jon W · 1025 days ago

    Dear care2:
    Instead of emailing our passwords back, why not just post a list of the email addresses & passwords on Facebook and we'll just pick out some to use...?

  2. jessi slaughter · 1025 days ago

    dropping the pete seeger reference in a stratfor story! well done chet, have a very happy new years!

  3. David · 1023 days ago

    Does Bob work for Care2? If (likely) not, how could he possibly have knowledge of their password security?! Sounds like a very unreliable source. Care2 said it was their first breach ever, so for a decades-old site of 18M users I seriously doubt they have no/bad security, as is insinuated here.

    • Nathan · 1021 days ago

      The fact that passwords can be emailed back to a user in clear text form highlights they are not being stored in an encrypted format.

      If the passwords were stored securely (i.e. not in clear text) they would not be able to email the user their password, only what their password is in the hash format chosen by Care2.

      • Chester Wisniewski · 1021 days ago

        That is correct @Nathan. Passwords that are stored securely cannot be reversed, making it impossible to mail someone their password. As @Jon W said, they may as well just post them on a bulletin board.

        Consider how many people use the same password multiple places. Would you want the administrator at any given website to see your password?

        I know, I know, your passwords are unique for every site and contain letters, numbers and the entire I Ching. Suffice it to say, that isn't true for most people.

        Even if you trust the IT staff of every website, you may not trust the people who have come to their data.

  4. Cantrell Doughtry · 1021 days ago

    why would you recommend using lastpass when their system was hacked not once but TWICE?

  5. Juan P. Morales · 1020 days ago

    It's pretty scary when you think of how many sites use the same mechanism for recovering user passwords. Simply providing the email address as some kind of verification is completely useless. I know that a few of the sites I frequent have this very same mechanism in place. This is why I try to keep as many different passwords as possible, at least making it more difficult for those would try to get at my informaiton.

  6. Phil · 1018 days ago

    LastPass has had multiple security breaches in the past year, I personally prefer RoboForm made by Siber Systems. They were the first and are still the best, never had an issue with security.

  7. Hugo · 972 days ago

    Why has Google or YouTube or Facebook not been hacked like Care2?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.