The Register® — Biting the hand that feeds IT

Feeds

Universal Music passwords exposed by Anonymous hack

AntiSec strikes again

By John Leyden, 7th July 2011
  • print
  • alert

Agentless Backup is Not a Myth

Universal Music websites suffered a breach that exposed the usernames and passwords of fans of bands who had signed up for updates on their favourite musicians.

Infamous hacktivist group Anonymous claimed responsibility for the hack as part of its AntiSec campaign, which aims to expose the weak spots in the internet security of big firms and government organisations. The group released a cache of files stolen from Universal as well as similar data extracted from Viacom, the Wall Street Journal adds.

In an email sent to a Reg reader on Monday, Universal admitted that email addresses, passwords and user's real names were exposed by an attack on the website of British indie rock band The Klaxons. No financial or credit card details were exposed, it added.

The circumstances of the breach suggest that the music label had stored passwords in plain text. Universal apologised for the breach and urged customers to change their passwords all around, especially if they had used the exposed login credentials on other sites. It also warned users to be wary of follow-up phishing attacks. ®

Steps to Take Before Choosing a Business Continuity Partner

COMMENTS

House Rules Send Corrections
All Reader Comments (16)
Highly Rated
Anonymous Coward

Change your password so that..

We <Universal> can store it in plain text again and the next time we get broken into the attackers will get your new password as well.

3
0
caffeine addict
Reply Icon

No...

storing the password or storing the encrypted password would be storing the password. Anyone with access to the data (or data + key for encryption) knows your password.

storing a hash (salted or otherwise) would be storing a string of crap that can't (reliably|easily) be converted back into a password. You could find a string of text that results in the given string, but you can't be certain that's the actual original password.

nitpicking, maybe, but I agree with the original comment.

2
0
Martin Milan
Reply Icon

Plain text? That's not the issue...

It's not the plain text aspect of storing the passwords that bothers me - that's not the real problem here. The real problem is storing the passwords AT ALL!!

C'mon guys - salted hash?

3
1

More from The Register

breaking news
Number of cops abusing Police National Computer access on the rise
Only a telegram from the Queen can get you off it
136
breaking news
NSA PRISM snoop-gate: Won't someone think of the children, wails Apple
10,000 things probed, mostly about missing kids, Alzheimer patients, we're told
96
Flash flaw potentially makes every webcam or laptop a PEEPHOLE
But it's a Google problem - Chrome only, insists Adobe
60
Internet fraud still stings suckers
Australians twice as gullible as Americans
36
breaking news
NSA PRISM-gate: Relax, GCHQ spooks 'keep us safe', says Cameron
Whatever they are up to, it's all above board, we're told
90
breaking news
Yahoo! joins! rivals! in! PRISM! data! request! admission!
Keep calm and carry on using American tech firms, folks
41
PRISM snitch claims NSA hacked Chinese targets since 2009
Snowden suddenly looks safer in Hong Kong after revelations
33
breaking news
US chief spook: Look, we only want to spy on 6.66 BEELLLION of you
Americans assured they are not in the NSA's sights
68
Speech-to-text drives motorists to distraction
Will talking to you mean I crash into that car up ahead, Siri?
30
DHS warns of vulns in hospital medical equipment
Has your doctor's anasthesia machine been hacked?
17