Sophos Cloud Optix
Reputation.com, one of the places that helps to bury negative search results about you, has been hacked.
The online reputation management company on Tuesday sent a letter to customers telling them that its network security personnel had recently discovered and “swiftly shut down” an external attack on its network.
Reputation.com said in the letter that the intruder(s) managed to siphon off names and email and physical addresses. In some instances, phone numbers, dates of birth and occupational information was also filched.
On top of that, a list of salted and hashed passwords for “a small minority” of users was accessed, the company said.
Although it’s “highly unlikely” the passwords could be decrypted, the company immediately changed all users’ passwords, it said.
What was not accessed:
- Financial information, such as credit card numbers or bank account information, which the company doesn’t store (hurray!),
- Social Security Numbers and drivers license numbers, which the company doesn’t request (hurray!),
- Account details, including why users retained Reputation.com’s services (hurray! I imagine that could get embarrassing and potentially be used to make negative content about users zoom back up in search results),
- Communication between users and Reputation.com, and
- Any details about the services users have received.
An interesting point is that the extent of the breach didn’t trigger any legal obligation, worldwide (except for the US state of North Dakota. Hurray North Dakota!) to tell users about the breach, but the company thought it was important enough to let them know anyway.
It’s such a kick in the teeth.
You think you find a site that helps you keep your private data from dribbling out of the myriad online places that siphon it off.
You imagine that the online sliming left by trolls, unhappy customers or whomever’s out to get you has been, if not strangled entirely, at least buried far enough down in search results that its babbling just might be muffled.
Then somebody or somebodies goes and tries to stick a pin in those mission statements.
Well, it appears that Reputation.com’s work to do those things hasn’t been compromised by the attack, and much of the reason for that has to do with good security practices.
So kudos for going above and beyond disclosure requirements, and kudos for salting and hashing passwords, Reputation.com.
Hacked image courtesy of Shutterstock.
Not sure that "salting and hashing" earn kudos. That's a bit like congratulating someone for passing a breathylizer test…
"a list of highly encrypted (“salted” and “hashed”) user passwords for a small minority of our users was accessed." Good marketing speak there considering "salted" and "hashed" doesn't really correlate to "highly encrypted."…
I thought Reputation's press release was smug and condescending, and full of excuses. Do they really think they're off the hook because they hashed my password? The thieves can have my Reputation password – it only gives them access to the limited work Reputation does in removing my information from public databases.
What's more dangerous, from a phishing and social engineering perspective, is that my name, address, email address and possibly date of birth, as well as my association with Reputation are now exposed. Along with 50 million others
And just like Reputation's service, the company is doing everything it can to bury the news. Can you find any mention of the breach anywhere on their web site? I've always found Reputation.com to be a little creepy. This hasn't dulled those feelings.
What they're relying on is breach fatigue, and know that in a couple of days this storm will pass and we may be talking about another breach. Seems like a lifetime ago we were talking about the breach at LivingSocial.
This is good practise.