Sophos Cloud Optix
If you have an account on AutoGuide.com, Motorcycle.com, PetGuide.com, Tractor.com, IBSgroup.org or any of VerticalScope’s other community websites and forums, change your password – TODAY!
Hackers have stolen tens of millions of accounts from popular forums belonging to the Toronto-based media company. The forums cover a multitude of diverse verticals from automotive, powersports and technology to pets, health and wellness, home improvements and outdoor.
In a security update on its website, the company rather downplays the situation. It prefers to highlight recently revealed breaches on social media sites before getting around to telling its own users that they need to change their passwords:
VerticalScope is implementing some security changes related to our forum password strength and password expiration policies. These are in response to increased internet awareness of security-related incidents on outside major social media websites with which we share many common users. In addition, we recently became aware of potential risks to community accounts (username, userid, encrypted password and email address) on many Forum online communities, including some owned and operated by VerticalScope. To be safe, these changes are being implemented on all of our Forum communities to help protect all of our users on each of our websites.
Poor password storage
Breach notification site LeakedSource.com analysed a copy of the stolen data and found that records may contain an email address, username, IP address and one – or even two – passwords.
The passwords were not stored in clear text so anyone in possession of the leaked data will need to crack the passwords before they can use them. How difficult they are to crack depends on how strong they are and on how they were stored.
Unfortunately most of the passwords were stored using an old technique that’s easy to crack:
… less than 10% of the domains which account for a very small amount of leaked records used difficult to break encryption (less than a couple million). Most of the records (over 40 million) were just MD5 with salting and this is insufficient.
It’s a similar situation to the well-publicised Ashley Madison data leak where some users’ passwords were stored using a modern technique (bcrypt) and others were stored using the same obsolete MD5 hashes used by VerticalScope.
A lot of researchers didn’t even bother trying to crack the bcrypt-ed passwords from Ashley Madison but one that did took a week to crack just 4,000 of the weakest. A different group of researchers took a swing at the MD5 hashes and cracked 11 million in just 10 days.
Companies and users must act responsibly
This latest news comes less than a week after high profile data breaches on three major social networks, MySpace, LinkedIn and Tumblr, were revealed.
Against the background of so much stolen data it’s easy to lose sight of the seriousness of a breach exposing tens of millions of poorly stored passwords. Users who entrust companies with their passwords have every right to expect them to be stored correctly so that they’re well protected even if their data is stolen.
And users? To play their part they need to chose strong, unique passwords.
The weakest passwords are the first to fall – LeakedSource.com has listed the top passwords used by VerticalScope users with ‘123456’ coming top and ‘password’ coming third. ‘111111’ and ‘qwerty’ also make the top twenty.
Users should also expect that the hackers behind this breach will try the stolen passwords on other websites too, or resell the passwords to other criminals who will.
So, if you’re a VerticalScope user, go and change your password and if you used it on any other sites, change those passwords too.
Is there a full list of the sites affected?