Feeds

Half a MEELLION passwords reset after Scribd security snafu

Scribblers' YouTube claims 99% of users not dirtied

Using blade systems to cut costs and sharpen efficiencies

Scribd, which claims to be the world's largest online library, has been hacked - exposing the email addresses, usernames and password hashes of 500,000 users.

The document-sharing website admitted the database raid may have leaked the details of one per cent of its 50-million-plus users.

Potentially affected users have been notified by email and advised to change their passwords, we're told. The website's operators added:

Earlier this week, Scribd's Operations team discovered and blocked suspicious activity on Scribd's network that appears to have been a deliberate attempt to access the email addresses and passwords of registered Scribd users.

Because of the way Scribd securely stores passwords, we believe that the passwords of less than 1% of our users were potentially compromised by this attack.

We have now emailed every user whose password was potentially compromised with details of the situation and instructions for resetting their password. Therefore, if you did not receive an email from us, you are most likely unaffected.

The suggestion that only one per cent of users have been affected "because of the way Scribd stores passwords" is a bit of a puzzler. El Reg reader David, whose password was reset in the wake of the breach, was left with several questions over the incident.

He said:

"What's happened with the Scribd potential password leak? In particular what's up with the 1 per cent? I don't think it is the 1 per cent who used Scribd that day, week or month, because I don't visit that often."

Paul Ducklin, Sophos's head of technology for Asia Pacific, said this sort of uncertainty was understandable.

"At first blush, I was inclined to interpret this to mean that 99 per cent of passwords were stored securely, presumably by salting and hashing, leaving only a small proportion open to the scrutiny of intruders," he wrote.

"We've seen cases before where websites have upgraded their password handling systems to make them safer, but seem to have failed to migrate all users to the new system in a timely fashion, leaving some users in an insecure limbo," Ducklin added.

However, Scribd clarified the situation by stating only "encrypted passwords", and by that they mean salted and hashed, were exposed:

Our investigation indicates that no content, payment and sales-related data, or other information were accessed or compromised. We believe the information accessed was limited to general user information, which includes usernames, emails, and encrypted passwords.

Even though this information was accessed, the passwords stored by Scribd are encrypted (in technical terms, they are salted and hashed). Most of our users were therefore unaffected by this; however, our analysis shows that a small percentage may have had their passwords compromised. In an abundance of caution, we are therefore asking those affected users to reset their password and to change their password on any other services they might have used it on.

Scribd has promised a security review and the introduction of "numerous additional safeguards" in the wake of the security flap, for which it apologises. Unless it was using an outdated password hashing algorithm, it's not easy to say how much more Scribd could do on the password security front.

The shortcomings that allowed hackers to get into its network are an obvious security concern, though.

The YouTube-for-writers website has set up a "breach checker" microsite which lets punters check email addresses against the list of possibly pwned accounts. This tool poses no great risk, but it could be implemented better, according to security experts.

"It would have been a nice touch if the company had used HTTPS for this particular page, rather than sending your email address, and the notification of whether it was on the at-risk list, via unencrypted HTTP," Sophos' Ducklin wrote.

"On the other hand, since anyone can check anyone's email address anyway, and since you probably received an email advising you to change your password already if your account was potentially pwned, it probably doesn't matter." ®

The smart choice: opportunity from uncertainty

More from The Register

next story
NEW, SINISTER web tracking tech fingerprints your computer by making it draw
Have you been on YouPorn lately, perhaps? White House website?
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Black Hat anti-Tor talk smashed by lawyers' wrecking ball
Unmasking hidden users is too hot for Carnegie-Mellon
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Own a Cisco modem or wireless gateway? It might be owned by someone else, too
Remote code exec in HTTP server hands kit to bad guys
prev story

Whitepapers

Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.