Feeds

Half a MEELLION passwords reset after Scribd security snafu

Scribblers' YouTube claims 99% of users not dirtied

Choosing a cloud hosting partner with confidence

Scribd, which claims to be the world's largest online library, has been hacked - exposing the email addresses, usernames and password hashes of 500,000 users.

The document-sharing website admitted the database raid may have leaked the details of one per cent of its 50-million-plus users.

Potentially affected users have been notified by email and advised to change their passwords, we're told. The website's operators added:

Earlier this week, Scribd's Operations team discovered and blocked suspicious activity on Scribd's network that appears to have been a deliberate attempt to access the email addresses and passwords of registered Scribd users.

Because of the way Scribd securely stores passwords, we believe that the passwords of less than 1% of our users were potentially compromised by this attack.

We have now emailed every user whose password was potentially compromised with details of the situation and instructions for resetting their password. Therefore, if you did not receive an email from us, you are most likely unaffected.

The suggestion that only one per cent of users have been affected "because of the way Scribd stores passwords" is a bit of a puzzler. El Reg reader David, whose password was reset in the wake of the breach, was left with several questions over the incident.

He said:

"What's happened with the Scribd potential password leak? In particular what's up with the 1 per cent? I don't think it is the 1 per cent who used Scribd that day, week or month, because I don't visit that often."

Paul Ducklin, Sophos's head of technology for Asia Pacific, said this sort of uncertainty was understandable.

"At first blush, I was inclined to interpret this to mean that 99 per cent of passwords were stored securely, presumably by salting and hashing, leaving only a small proportion open to the scrutiny of intruders," he wrote.

"We've seen cases before where websites have upgraded their password handling systems to make them safer, but seem to have failed to migrate all users to the new system in a timely fashion, leaving some users in an insecure limbo," Ducklin added.

However, Scribd clarified the situation by stating only "encrypted passwords", and by that they mean salted and hashed, were exposed:

Our investigation indicates that no content, payment and sales-related data, or other information were accessed or compromised. We believe the information accessed was limited to general user information, which includes usernames, emails, and encrypted passwords.

Even though this information was accessed, the passwords stored by Scribd are encrypted (in technical terms, they are salted and hashed). Most of our users were therefore unaffected by this; however, our analysis shows that a small percentage may have had their passwords compromised. In an abundance of caution, we are therefore asking those affected users to reset their password and to change their password on any other services they might have used it on.

Scribd has promised a security review and the introduction of "numerous additional safeguards" in the wake of the security flap, for which it apologises. Unless it was using an outdated password hashing algorithm, it's not easy to say how much more Scribd could do on the password security front.

The shortcomings that allowed hackers to get into its network are an obvious security concern, though.

The YouTube-for-writers website has set up a "breach checker" microsite which lets punters check email addresses against the list of possibly pwned accounts. This tool poses no great risk, but it could be implemented better, according to security experts.

"It would have been a nice touch if the company had used HTTPS for this particular page, rather than sending your email address, and the notification of whether it was on the at-risk list, via unencrypted HTTP," Sophos' Ducklin wrote.

"On the other hand, since anyone can check anyone's email address anyway, and since you probably received an email advising you to change your password already if your account was potentially pwned, it probably doesn't matter." ®

Intelligent flash storage arrays

More from The Register

next story
Regin: The super-spyware the security industry has been silent about
NSA fingered as likely source of complex malware family
Why did it take antivirus giants YEARS to drill into super-scary Regin? Symantec responds...
FYI this isn't just going to target Windows, Linux and OS X fans
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Home Office: Fancy flogging us some SECRET SPY GEAR?
If you do, tell NOBODY what it's for or how it works
HACKERS can DELETE SURVEILLANCE DVRS remotely – report
Hikvision devices wide open to hacking, claim securobods
'Regin': The 'New Stuxnet' spook-grade SOFTWARE WEAPON described
'A degree of technical competence rarely seen'
Syrian Electronic Army in news site 'hack' POP-UP MAYHEM
Gigya redirect exploit blamed for pop-rageous ploy
Astro-boffins start opening universe simulation data
Got a supercomputer? Want to simulate a universe? Here you go
prev story

Whitepapers

Designing and building an open ITOA architecture
Learn about a new IT data taxonomy defined by the four data sources of IT visibility: wire, machine, agent, and synthetic data sets.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
5 critical considerations for enterprise cloud backup
Key considerations when evaluating cloud backup solutions to ensure adequate protection security and availability of enterprise data.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Managing SSL certificates with ease
The lack of operational efficiencies and compliance pitfalls associated with poor SSL certificate management, and how the right SSL certificate management tool can help.