You may have read about the tens of millions of usernames and passwords which have been recently been compromised/hacked/leaked on major websites in the last few weeks. If not, here are a few of the stories:
- 30 million passwords leaked from LinkedIn due to unsalted SHA-1 hashes stored centrally.
- 6 million passwords hacked at Last.FM, the popular music discovery service.
- 1.5 million passwords leaked from eHarmony.
In the last year other services have experience serious security breaches:
- 100 million accounts compromised on the Sony Playstation Network (PSN). Sony offered free credit monitoring and games to all PSN users to compensate them, a major departure from the typical “change your password” / sweep it under the rug response.
- All RSA SecureID tokens were compromised by the theft of RSA intellectual property and cryptographic keys. RSA tokens are used by most enterprises to login remotely as part of multi-factor authentication scheme.
How can you protect yourself?
Signup for a service like 1Password or LastPass, which offer convenient browser extensions. They generate unique passwords per website that you user, so the breach of security at Facebook won’t affect your password on Mint.
How can Web Developers protect users?
Move to standardized authentication methods, like OpenID or Facebook/Twitter/Google login integration. If the authentication mechanism is outsourced, your customers and users don’t need to worry about how you store their passwords.
If you absolutely want to store user passwords, please read How to Safely Store a Password and use bcrypt to do the heavy lifting. Then even if your login/password database is compromised, nothing will come of it.
Today someone “hacked” my blog, and a lot of others on MediaTemple’s shared grid hosting, replacing index.php files randomly with:
haCkeD By r00t-x ~ firstname.lastname@example.org ~
Some script kiddie ran a sploit; apparently things are being fixed now:
We have completed the work necessary to secure our GRID infrastructure from this exploit.
We have also repaired the majority of affected sites using our automated tools. We will continue to run these tools throughout the night. Please let us know if you see anything out of place and we will dig deeper.
I was watching the MacWorld 2009 Apple Keynote live when a message appeared in the feed–”STEVE JOBS JUST DIED”–surprising everyone. In a few minutes, the MacRumors feed was full of coordinated hacked spam:
MacRumors apologized for the incident: “Our MacRumorsLive keynote coverage was hacked today, inserting inappropriate content into the text and photo feeds. We apologize for the inconvenience and are working to restore our services.” However, it was simply negligence on their part for having a control panel which was publicly accessible rather than some kind of nefarious hack. One of the nicer 4chan readers took this screenshot of it before it was taken offline:
See also When Livestreams Go Wrong and 4chan’s /g board where the chaos originated. Hopefully this will teach bloggers and web startups to pay more attention to the security of their websites, as hacking websites is growing more and more popular with savvy internet pranksters.