Feeds

Half a MEELLION passwords reset after Scribd security snafu

Scribblers' YouTube claims 99% of users not dirtied

Beginner's guide to SSL certificates

Scribd, which claims to be the world's largest online library, has been hacked - exposing the email addresses, usernames and password hashes of 500,000 users.

The document-sharing website admitted the database raid may have leaked the details of one per cent of its 50-million-plus users.

Potentially affected users have been notified by email and advised to change their passwords, we're told. The website's operators added:

Earlier this week, Scribd's Operations team discovered and blocked suspicious activity on Scribd's network that appears to have been a deliberate attempt to access the email addresses and passwords of registered Scribd users.

Because of the way Scribd securely stores passwords, we believe that the passwords of less than 1% of our users were potentially compromised by this attack.

We have now emailed every user whose password was potentially compromised with details of the situation and instructions for resetting their password. Therefore, if you did not receive an email from us, you are most likely unaffected.

The suggestion that only one per cent of users have been affected "because of the way Scribd stores passwords" is a bit of a puzzler. El Reg reader David, whose password was reset in the wake of the breach, was left with several questions over the incident.

He said:

"What's happened with the Scribd potential password leak? In particular what's up with the 1 per cent? I don't think it is the 1 per cent who used Scribd that day, week or month, because I don't visit that often."

Paul Ducklin, Sophos's head of technology for Asia Pacific, said this sort of uncertainty was understandable.

"At first blush, I was inclined to interpret this to mean that 99 per cent of passwords were stored securely, presumably by salting and hashing, leaving only a small proportion open to the scrutiny of intruders," he wrote.

"We've seen cases before where websites have upgraded their password handling systems to make them safer, but seem to have failed to migrate all users to the new system in a timely fashion, leaving some users in an insecure limbo," Ducklin added.

However, Scribd clarified the situation by stating only "encrypted passwords", and by that they mean salted and hashed, were exposed:

Our investigation indicates that no content, payment and sales-related data, or other information were accessed or compromised. We believe the information accessed was limited to general user information, which includes usernames, emails, and encrypted passwords.

Even though this information was accessed, the passwords stored by Scribd are encrypted (in technical terms, they are salted and hashed). Most of our users were therefore unaffected by this; however, our analysis shows that a small percentage may have had their passwords compromised. In an abundance of caution, we are therefore asking those affected users to reset their password and to change their password on any other services they might have used it on.

Scribd has promised a security review and the introduction of "numerous additional safeguards" in the wake of the security flap, for which it apologises. Unless it was using an outdated password hashing algorithm, it's not easy to say how much more Scribd could do on the password security front.

The shortcomings that allowed hackers to get into its network are an obvious security concern, though.

The YouTube-for-writers website has set up a "breach checker" microsite which lets punters check email addresses against the list of possibly pwned accounts. This tool poses no great risk, but it could be implemented better, according to security experts.

"It would have been a nice touch if the company had used HTTPS for this particular page, rather than sending your email address, and the notification of whether it was on the at-risk list, via unencrypted HTTP," Sophos' Ducklin wrote.

"On the other hand, since anyone can check anyone's email address anyway, and since you probably received an email advising you to change your password already if your account was potentially pwned, it probably doesn't matter." ®

Protecting users from Firesheep and other Sidejacking attacks with SSL

More from The Register

next story
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Jihadi terrorists DIDN'T encrypt their comms 'cos of Snowden leaks
Intel bods' analysis concludes 'no significant change' after whistle was blown
Home Depot: 56 million bank cards pwned by malware in our tills
That's about 50 per cent bigger than the Target tills mega-hack
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
China hacked US Army transport orgs TWENTY TIMES in ONE YEAR
FBI et al knew of nine hacks - but didn't tell TRANSCOM
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Protecting users from Firesheep and other Sidejacking attacks with SSL
Discussing the vulnerabilities inherent in Wi-Fi networks, and how using TLS/SSL for your entire site will assure security.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.