Reputation.com resets all user passwords following breach

Filed Under: Data loss, Featured, Privacy

Reputation.com, one of the places that helps to bury negative search results about you, has been hacked.

The online reputation management company on Tuesday sent a letter to customers telling them that its network security personnel had recently discovered and "swiftly shut down" an external attack on its network.

Reputation.com email

Reputation.com said in the letter that the intruder(s) managed to siphon off names and email and physical addresses. In some instances, phone numbers, dates of birth and occupational information was also filched.

On top of that, a list of salted and hashed passwords for "a small minority" of users was accessed, the company said.

Although it's "highly unlikely" the passwords could be decrypted, the company immediately changed all users' passwords, it said.

What was not accessed:

  • Financial information, such as credit card numbers or bank account information, which the company doesn't store (hurray!),
  • Social Security Numbers and drivers license numbers, which the company doesn't request (hurray!),
  • Account details, including why users retained Reputation.com's services (hurray! I imagine that could get embarrassing and potentially be used to make negative content about users zoom back up in search results),
  • Communication between users and Reputation.com, and
  • Any details about the services users have received.

An interesting point is that the extent of the breach didn't trigger any legal obligation, worldwide (except for the US state of North Dakota. Hurray North Dakota!) to tell users about the breach, but the company thought it was important enough to let them know anyway.

Hacked image, courtesy of ShutterstockIt's such a kick in the teeth.

You think you find a site that helps you keep your private data from dribbling out of the myriad online places that siphon it off.

You imagine that the online sliming left by trolls, unhappy customers or whomever's out to get you has been, if not strangled entirely, at least buried far enough down in search results that its babbling just might be muffled.

Then somebody or somebodies goes and tries to stick a pin in those mission statements.

Well, it appears that Reputation.com's work to do those things hasn't been compromised by the attack, and much of the reason for that has to do with good security practices.

So kudos for going above and beyond disclosure requirements, and kudos for salting and hashing passwords, Reputation.com.


Hacked image courtesy of Shutterstock.

, , , ,

You might like

4 Responses to Reputation.com resets all user passwords following breach

  1. DUI Dave · 535 days ago

    Not sure that "salting and hashing" earn kudos. That's a bit like congratulating someone for passing a breathylizer test...

  2. Mike · 535 days ago

    "a list of highly encrypted (“salted” and “hashed”) user passwords for a small minority of our users was accessed." Good marketing speak there considering "salted" and "hashed" doesn't really correlate to "highly encrypted."...

  3. Neal O'Farrell · 535 days ago

    I thought Reputation's press release was smug and condescending, and full of excuses. Do they really think they're off the hook because they hashed my password? The thieves can have my Reputation password - it only gives them access to the limited work Reputation does in removing my information from public databases.

    What's more dangerous, from a phishing and social engineering perspective, is that my name, address, email address and possibly date of birth, as well as my association with Reputation are now exposed. Along with 50 million others

    And just like Reputation's service, the company is doing everything it can to bury the news. Can you find any mention of the breach anywhere on their web site? I've always found Reputation.com to be a little creepy. This hasn't dulled those feelings.

    What they're relying on is breach fatigue, and know that in a couple of days this storm will pass and we may be talking about another breach. Seems like a lifetime ago we were talking about the breach at LivingSocial.

  4. Bond · 535 days ago

    This is good practise.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

I've been writing about technology, careers, science and health since 1995. I rose to the lofty heights of Executive Editor for eWEEK, popped out with the 2008 crash, joined the freelancer economy, and am still writing for my beloved peeps at places like Sophos's Naked Security, CIO Mag, ComputerWorld, PC Mag, IT Expert Voice, Software Quality Connection, Time, and the US and British editions of HP's Input/Output. I respond to cash and spicy sites, so don't be shy.