Racing aficionados, take heed: attackers spent Friday and Saturday kicking over the database at Racingpost.com and have trotted off with customer records.
The site, which is devoted to dogs, horses, and placing bets on the fleetest of either lot, posted a statement saying that attackers kept up a "sophisticated, sustained and aggressive attack" on Friday and Saturday, managing to access a database and make off with the details for an undisclosed number of customers.
Not to worry about credit card numbers, given that the site doesn't act as a bookie. That means there was no customer credit card information for the crooks to filch, Racing Post says:
Betting through the site with our partner bookmakers has at all times been unaffected as this activity takes place directly with the bookmaker. Racing Post is not involved in the process - we hold no details whatsoever in relation to your betting accounts.
Customer credit and debit card details are not stored on the site and have therefore not been accessed and are not at risk.
Still, there's plenty left for phishers to chew on, given that the breached data included usernames, first and last names, encrypted passwords, email and customer addresses, and dates of birth.
Fortunately, the breached passwords were encrypted, the company says.
Unfortunately, that means nothing, given that the company didn't mention having hashed or salted those encrypted passwords.
In fact, Racing Post is advising customers to change their passwords if they use them on other sites, given that it's a little shaky regarding the strength of that encryption.
From the statement:
Our advice, if in doubt, is to change passwords on other sites as a precaution as we cannot be confident that the hackers will be unable to break the encryption.
If the site's users have repeated passwords between RacingPost.com and other sites, it will be a breeze for attackers to waltz into those other sites when/if they manage to crack the passwords.
In fact, password reuse is such a needlessly generous offering to cyber crooks, Facebook, for one, tries to head off hijackings of customer accounts by proactively running breached data sets against its own users' login credentials.
If it finds password reuse, Facebook hides accounts from public view until a given user cleans up his/her act.
Would that all sites lavished that type of forethought on password reusers!
Alas, they do not.
But Racing Post, for its part, has taken the precaution of disabling log-in and registration functionality, although it says the site is safe and open, including access to Members' Club content.
In a letter sent to affected customers, Racing Post said that it's already overhauled security. It's also called in the cyber-security big guns to help it to further iron out its wrinkled security profile.
From The Register's coverage:
Please be assured that we are currently reviewing all of our security measures and will put in place even stronger protection to stop this happening again. Extensive changes have already been made overnight with the assistance of industry-leading cyber-security experts.
OK, sounds promising. Let's just hope that these experts know how to roll out proper encryption.
Sophos is always ready to lend a hand with that, of course.
Here's Paul Ducklin's take on Adobe's Clydesdale-sized* cryptographic blunder, for starters!
*Sorry for all the horse puns. I know they're lame. I'm really feeling my oats today.Follow @NakedSecurity