Feeds

Half a MEELLION passwords reset after Scribd security snafu

Scribblers' YouTube claims 99% of users not dirtied

Remote control for virtualized desktops

Scribd, which claims to be the world's largest online library, has been hacked - exposing the email addresses, usernames and password hashes of 500,000 users.

The document-sharing website admitted the database raid may have leaked the details of one per cent of its 50-million-plus users.

Potentially affected users have been notified by email and advised to change their passwords, we're told. The website's operators added:

Earlier this week, Scribd's Operations team discovered and blocked suspicious activity on Scribd's network that appears to have been a deliberate attempt to access the email addresses and passwords of registered Scribd users.

Because of the way Scribd securely stores passwords, we believe that the passwords of less than 1% of our users were potentially compromised by this attack.

We have now emailed every user whose password was potentially compromised with details of the situation and instructions for resetting their password. Therefore, if you did not receive an email from us, you are most likely unaffected.

The suggestion that only one per cent of users have been affected "because of the way Scribd stores passwords" is a bit of a puzzler. El Reg reader David, whose password was reset in the wake of the breach, was left with several questions over the incident.

He said:

"What's happened with the Scribd potential password leak? In particular what's up with the 1 per cent? I don't think it is the 1 per cent who used Scribd that day, week or month, because I don't visit that often."

Paul Ducklin, Sophos's head of technology for Asia Pacific, said this sort of uncertainty was understandable.

"At first blush, I was inclined to interpret this to mean that 99 per cent of passwords were stored securely, presumably by salting and hashing, leaving only a small proportion open to the scrutiny of intruders," he wrote.

"We've seen cases before where websites have upgraded their password handling systems to make them safer, but seem to have failed to migrate all users to the new system in a timely fashion, leaving some users in an insecure limbo," Ducklin added.

However, Scribd clarified the situation by stating only "encrypted passwords", and by that they mean salted and hashed, were exposed:

Our investigation indicates that no content, payment and sales-related data, or other information were accessed or compromised. We believe the information accessed was limited to general user information, which includes usernames, emails, and encrypted passwords.

Even though this information was accessed, the passwords stored by Scribd are encrypted (in technical terms, they are salted and hashed). Most of our users were therefore unaffected by this; however, our analysis shows that a small percentage may have had their passwords compromised. In an abundance of caution, we are therefore asking those affected users to reset their password and to change their password on any other services they might have used it on.

Scribd has promised a security review and the introduction of "numerous additional safeguards" in the wake of the security flap, for which it apologises. Unless it was using an outdated password hashing algorithm, it's not easy to say how much more Scribd could do on the password security front.

The shortcomings that allowed hackers to get into its network are an obvious security concern, though.

The YouTube-for-writers website has set up a "breach checker" microsite which lets punters check email addresses against the list of possibly pwned accounts. This tool poses no great risk, but it could be implemented better, according to security experts.

"It would have been a nice touch if the company had used HTTPS for this particular page, rather than sending your email address, and the notification of whether it was on the at-risk list, via unencrypted HTTP," Sophos' Ducklin wrote.

"On the other hand, since anyone can check anyone's email address anyway, and since you probably received an email advising you to change your password already if your account was potentially pwned, it probably doesn't matter." ®

Remote control for virtualized desktops

More from The Register

next story
'Regin': The 'New Stuxnet' spook-grade SOFTWARE WEAPON described
'A degree of technical competence rarely seen'
You really need to do some tech support for Aunty Agnes
Free anti-virus software, expires, stops updating and p0wns the world
You stupid BRICK! PCs running Avast AV can't handle Windows fixes
Fix issued, fingers pointed, forums in flames
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
HACKERS can DELETE SURVEILLANCE DVRS remotely – report
Hikvision devices wide open to hacking, claim securobods
prev story

Whitepapers

Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
How to determine if cloud backup is right for your servers
Two key factors, technical feasibility and TCO economics, that backup and IT operations managers should consider when assessing cloud backup.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
The Heartbleed Bug: how to protect your business with Symantec
What happens when the next Heartbleed (or worse) comes along, and what can you do to weather another chapter in an all-too-familiar string of debilitating attacks?