San Francisco-based document sharing site Scribd has admitted to a network intrusion.
Scribd bills itself as The World's Largest Online Library, and with a suggested 50 million users or more, it's hardly surprising that the site has attracted the attention of cybercriminals.
Details are scant, but a notification published on the company's online Support Desk states:
Earlier this week, Scribd's Operations team discovered and blocked suspicious activity on Scribd's network that appears to have been a deliberate attempt to access the email addresses and passwords of registered Scribd users.
Because of the way Scribd securely stores passwords, we believe that the passwords of less than 1% of our users were potentially compromised by this attack.
We have now emailed every user whose password was potentially compromised with details of the situation and instructions for resetting their password.
Therefore, if you did not receive an email from us, you are most likely unaffected.
The comment that less than 1% of users were potentially compromised "because of the way Scribd stores passwords" could probably have been made more clearly.
At first blush, I was inclined to interpret this to mean that 99% of passwords were stored securely, presumably by salting and hashing, leaving only a small proportion open to the scrutiny of intruders.
→ We've seen cases before where websites have upgraded their password handling systems to make them safer, but seem to have failed to migrate all users to the new system in a timely fashion, leaving some users in an insecure limbo.
The good news, if you read on, is that it looks as though none of Scribd's passwords are stored in cleartext, as the company goes on to say that:
Our investigation indicates that no content, payment and sales-related data, or other information were accessed or compromised. We believe the information accessed was limited to general user information, which includes usernames, emails, and encrypted passwords.
Scribd isn't claiming any certainty in what was taken (the verb believe implies acceptance without proof), but that's not unexpected.
Determining precisely what was stolen after an electronic break-in is tricky, and pedantic readers will be quick to point out that, technically, nothing was stolen because the original copies of the data remained behind.
Scribd also isn't clarifying how the passwords were encrypted, and the company probably doesn't actually mean encrypted, either.
Salting and hashing passwords is supposed to be a one-way process that allows the passwords to be verified, but not decrypted to reveal the original cleartext.
Assuming they were hashed and salted, then, stealing the password database doesn't directly reveal anyone's password.
But it does let the crooks mount an offline attack on the database, hashing a dictionary of passwords one-by-one and noticing when a guessed password is verified against the database of hashes.
And since Scribd isn't saying what password security algorithm it used, you have little choice but to assume it was a hashing process that doesn't slow down determined attackers much.
That's why the following behaviours are important:
- When you choose a password, don't pick anything obvious. Attackers put the most likely passwords at the top of their dictionary lists, so the tougher your password, the later it will fall, if at all.
- Don't use the same password on multiple sites. Doing so means that your login details on the most important site are at risk from an attack on the least secure one.
- If you store password databases, use a strong salt-and-hash system (e.g. bcrypt, scrypt or PBKDF2) that makes it much harder and slower for attackers to go through their password dictionary, but not so slow that it's impracticable to verify individual passwords when your users login.
Scribd has put up an online "breach checker" which lets you check individual email addresses against the list of probably-pwned accounts:
It would have been a nice touch if the company had used HTTPS for this particular page, rather than sending your email address, and the notification of whether it was on the at-risk list, via unencrypted HTTP:
On the other hand, since anyone can check anyone's email address anyway, and since you probably received an email advising you to change your password already if your account was potentially pwned, it probably doesn't matter.
More about managing passwords
To learn more about managing, choosing and policing passwords in your organisation, why not listen to our popular Techknow podcast on this very topic?
(If you prefer to listen offline, you can download the podcast for later.)