Universal Music passwords exposed by Anonymous hack
AntiSec strikes again
Universal Music websites suffered a breach that exposed the usernames and passwords of fans of bands who had signed up for updates on their favourite musicians.
Infamous hacktivist group Anonymous claimed responsibility for the hack as part of its AntiSec campaign, which aims to expose the weak spots in the internet security of big firms and government organisations. The group released a cache of files stolen from Universal as well as similar data extracted from Viacom, the Wall Street Journal adds.
In an email sent to a Reg reader on Monday, Universal admitted that email addresses, passwords and user's real names were exposed by an attack on the website of British indie rock band The Klaxons. No financial or credit card details were exposed, it added.
The circumstances of the breach suggest that the music label had stored passwords in plain text. Universal apologised for the breach and urged customers to change their passwords all around, especially if they had used the exposed login credentials on other sites. It also warned users to be wary of follow-up phishing attacks. ®
Change your password so that..
We <Universal> can store it in plain text again and the next time we get broken into the attackers will get your new password as well.
storing the password or storing the encrypted password would be storing the password. Anyone with access to the data (or data + key for encryption) knows your password.
storing a hash (salted or otherwise) would be storing a string of crap that can't (reliably|easily) be converted back into a password. You could find a string of text that results in the given string, but you can't be certain that's the actual original password.
nitpicking, maybe, but I agree with the original comment.
Plain text? That's not the issue...
It's not the plain text aspect of storing the passwords that bothers me - that's not the real problem here. The real problem is storing the passwords AT ALL!!
C'mon guys - salted hash?