Dec 13 2010
Three database/email server compromises were revealed over the weekend. A business partner of McDonald’s lost their promotional mailing list, Gawker’s entire user database was compromised and posted, and the DeviantArt user mailing list was also stolen, along with additional user information, again through a partner. None of these cases involved financial data; none of these would have been covered in any way by the PCI requirements. Gawker’s compromise is especially egregious as it was their full user database, including the passwords. Rumor has it that Gawker was using DES (not even 3DES) to encrypt the passwords, which is why a large number of the passwords associated with the accounts have been published. And we all know Gawker users wouldn’t reuse account names and passwords on other service, right?
Personally, I don’t have an account on any of these three systems. And if I did, the chances of password and username re-use are slim to none; I use 1Password and try to use random passwords created by the program as much as possible. But, truth be told, I probably still have a number of accounts on older systems that I forgot about and did re-use because I felt they were low importance systems at the time. Any security professional who tells you they’ve never done the same is a better person than I am; either that or they’re lying to themselves. And if we, the security professionals, are guilty of it, how can we expect better from our users? Which means the Gawker compromise is going to lead to a wave of secondary compromises. [Breaking: Twitter accounts being compromised, potentially based on Gawker accounts]
The danger with the McDonald’s and DeviantArt compromises isn’t the account names, it’s the the potential for phishing and other scams. The phishers now have a validated list of customers they can target their spam at, quite likely starting with fake alerts about the compromise itself to get users to click on links to malicious sites. From there, they can move on to lower impact, less obvious attacks, but that’s how I’d start. The potential of a user trusting an email warning them of danger is quite a bit higher than the other emails.
This is a great way to end 2010. Or not. These systems were viewed by their owners as low value targets and were obviously protected as they felt appropriate. But it’s proof that no matter how low value the data, if you accumulate enough of it, there is value to the data. There was no financial data stolen directly but the amount of information that could be used to lead to a financial compromise is considerable. What are the chances that at least a small percent of the accounts compromised will turn out to be using the same account name and password for their banking as well? Probably a lot higher than we’d like to admit.
[Update: I missed the Walgreens customer list compromise. I wonder if it’s related to the McDonalds compromise? Thanks, @falconsview]