It'll be interesting to see if these two breaches lead to either:
1. A large number of websites realizing that their lazy authentication is a time bomb, and fixing it.
2. A large number of attackers realizing that many more websites probably have this kind of vulnerability, and exploiting it.
Are both of these sites (LinkedIn, eHarmony) really assuming that only the hashes posted to the forum thread have been compromised? Isn't that, well, a really really bad assumption?
That brings up an interesting thought. I wonder how ashleymadison.com stores its user data. If any piece of identifying user data were leaked, it could kill their business (which many would welcome I'm sure).
If I were a criminal hacker with access to ashleymadison.com user data I wouldn't be talking about it. I'd be blackmailing wealthy people who are cheating on the site or the site itself.
Poor choice of words in "God's work." I didn't mean to insinuate that they had to be religious, just that they are hacking for some ideal(s) rather than personal gain or just to be a dick. Anonymous, for example.
With all these breaches my idea for a browser extension that stores a blacklist of websites & warns you about them mailing plaintext passwords, insecure password authentication or storing credit card details BEFORE I sign up has never been more appealing
12 comments
[ 4.1 ms ] story [ 38.7 ms ] threadSo, I doubt you'd hear about such a hack.