12 comments

[ 4.1 ms ] story [ 38.7 ms ] thread
And apparently they were using unsalted MD5.
It'll be interesting to see if these two breaches lead to either: 1. A large number of websites realizing that their lazy authentication is a time bomb, and fixing it. 2. A large number of attackers realizing that many more websites probably have this kind of vulnerability, and exploiting it.
I imagine in reality one will try and out-race the other to the outcome they want (most likely 2 will beat 1).
Are both of these sites (LinkedIn, eHarmony) really assuming that only the hashes posted to the forum thread have been compromised? Isn't that, well, a really really bad assumption?
Another reason I'm glad that I'm married (and faithful)!
That brings up an interesting thought. I wonder how ashleymadison.com stores its user data. If any piece of identifying user data were leaked, it could kill their business (which many would welcome I'm sure).
If I were a criminal hacker with access to ashleymadison.com user data I wouldn't be talking about it. I'd be blackmailing wealthy people who are cheating on the site or the site itself.

So, I doubt you'd hear about such a hack.

True. Some people are driven by things other than money, though. e.g. the idea that they are doing "God's work"
Those people aren't typically hackers.
Poor choice of words in "God's work." I didn't mean to insinuate that they had to be religious, just that they are hacking for some ideal(s) rather than personal gain or just to be a dick. Anonymous, for example.
Gotcha. I was blinded by my own secular zealotry!
With all these breaches my idea for a browser extension that stores a blacklist of websites & warns you about them mailing plaintext passwords, insecure password authentication or storing credit card details BEFORE I sign up has never been more appealing