In the last few weeks, hackers have been taking advantage of lazy security practices on websites. In two incidents involving the adult entertainment industry, almost 2 million customers have had usernames, passwords, email addresses, dates of birth and other personal information exposed.
On February 11, 2012, Luxembourg based Manwin Holding SARL had a data breach that compromised 350,000 user records, including usernames, encrypted passwords and email addresses. A hacker who said he is affiliated with the group Anonymous accessed an inactive forum to help enter some linked websites. And when he got there, he found a bonanza of data. A small sample was posted to the Internet and I’m sure hackers are having a field day as they sift through the information. Based on what was leaked, it was possible to determine some users’ full names and country of residence. Hello fraud and phishing!
On February 20, 2012, Netherlands based YouPorn had a list of 1.4 million user email addresses, passwords and dates of birth exposed. YouPorn is a popular video website and one of the top 100 visited websites in the world. Apparently debug data was stored in plain text in a publically accessible website since 2007 as shown below. The company shut down the compromised server, but the information is still floating around the Internet.
Both of these incidents are very disturbing since either sloppy practices or stupidity are to blame for the data breaches. In the case of Manwin, at least the passwords were encrypted. Unfortunately that was not the case with YouPorn. Usernames, emails and passwords were sitting in plain text there for the taking. In both cases, personal information was not encrypted and old style methods were used to retain it.
The biggest security problem is that many people use the same username and password for many different sites. A lot of sites are using an email address as a username so this makes it easier to compromise other accounts. If a hacker knows your email address and YouPorn password, they can try to use them to hack into your Amazon account, PayPal, GMail, you name it. From there, they could obtain credit card numbers and are off on a spending spree. We all know not to use the same username and password for multiple accounts, but we all do it because it’s easier to remember. If you are still using the same password on multiple sites, please change them now.
The other issue is storing this information in a text file. Most modern websites store user credentials in a database. All modern databases make it easy to encrypt stored data. Passwords should use hash algorithms so only the hash is stored and not the password itself. Many more sophisticated sites use OAuth, OpenID and other more secure methods of access so that only a temporary access token is passed rather than a password.
Storing user information in encrypted databases is great unless someone runs a query and pulls it into a spreadsheet or other document for local use. Once there, it is vulnerable to prying eyes. In no cases should these documents contain passwords, but email addresses, dates of birth and other demographic information may be common. If you need to use this information in a document, you should encrypt it with a persistent security policy. That lets you control who can access the document and what they can do with the information inside it. That’s critical if you leave it on an unprotected server where anyone might get to it.
Take a look at your websites and other publically accessible servers to make sure you aren’t exposing private or confidential information. Lock down those documents that have private data. Even if a hacker gets your document, they won’t be able to use the information inside. Then you can’t be accused of being sloppy.
Photo credit skippyjon