Mag publisher Future stored your FileSilo passwords in plaintext. Then hackers hit
Plaintext passwords. In 2017
UK magazine publisher Future's FileSilo website has been raided by hackers, who have made off with, among other information, unencrypted user account passwords.
FileSilo.co.uk is a website Future's mag subscribers can log into to download materials, such as Photoshop templates and graphics, for tutorials published in its print titles. Future is responsible for things like Edge, Digital Camera World, and ImagineFX.
A notice sent to FileSilo users on Wednesday advises everyone to change their passwords for the site, and any other website with the same password, "as a matter of urgency," due to the astonishingly bad decision to store the passwords without encryption. Yes, in plaintext.
"In the last 24 hours it has come to our attention that FileSilo.co.uk's user registration database has been compromised," customers were told.
"Unfortunately users' email addresses, usernames, passwords (stored in plaintext), name and surname may have been stolen in the process."
The FileSilo site has been shut down as a result of the attack and its administrators say it will relaunch once "we are satisfied that the breach has been fully rectified." Hopefully that includes not storing passwords in plaintext.
"We take the security of our registered users extremely seriously and we are investing in implementing advanced systems that enhance that security," said the company that just lost user passwords it kept in plaintext. "These efforts continue to proceed on track."
In the meantime, users should make a point of reviewing their stored passwords and changing those for any site that shared the FileSilo password, which was stored in plaintext and then stolen.
This might also be a good time to ask the operators of those sites if, like FileSilo, they have left passwords sitting around in plaintext for hackers to steal.
El Reg asked Future for some comment on the breach and the reason why the passwords were stored in plaintext and not encrypted. In accordance with FileSilo's security policy, we sent the request in plaintext.
We have not heard back. ®