Dec 13 2010

Customer information stolen

Published by at 5:24 am under Hacking

Three database/email server compromises were revealed over the weekend.  A business partner of McDonald’s lost their promotional mailing list, Gawker’s entire user database was compromised and posted, and the DeviantArt user mailing list was also stolen, along with additional user information, again through a partner.  None of these cases involved financial data; none of these would have been covered in any way by the PCI requirements.  Gawker’s compromise is especially egregious as it was their full user database, including the passwords.  Rumor has it that Gawker was using DES (not even 3DES) to encrypt the passwords, which is why a large number of the passwords associated with the accounts have been published.  And we all know Gawker users wouldn’t reuse account names and passwords on other service, right?

Personally, I don’t have an account on any of these three systems.  And if I did, the chances of password and username re-use are slim to none; I use 1Password and try to use random passwords created by the program as much as possible.  But, truth be told, I probably still have a number of accounts on older systems that I forgot about and did re-use because I felt they were low importance systems at the time.  Any security professional who tells you they’ve never done the same is a better person than I am; either that or they’re lying to themselves.  And if we, the security professionals, are guilty of it, how can we expect better from our users?  Which means the Gawker compromise is going to lead to a wave of secondary compromises.  [Breaking:  Twitter accounts being compromised, potentially based on Gawker accounts]

The danger with the McDonald’s and DeviantArt compromises isn’t the account names, it’s the the potential for phishing and other scams.  The phishers now have a validated list of customers they can target their spam at, quite likely starting with fake alerts about the compromise itself to get users to click on links to malicious sites.  From there, they can move on to lower impact, less obvious attacks, but that’s how I’d start.  The potential of a user trusting an email warning them of danger is quite a bit higher than the other emails.

This is a great way to end 2010.  Or not.  These systems were viewed by their owners as low value targets and were obviously protected as they felt appropriate.  But it’s proof that no matter how low value the data, if you accumulate enough of it, there is value to the data.  There was no financial data stolen directly but the amount of information that could be used to lead to a financial compromise is considerable.  What are the chances that at least a small percent of the accounts compromised will turn out to be using the same account name and password for their banking as well?  Probably a lot higher than we’d like to admit.

[Update:  I missed the Walgreens customer list compromise.  I wonder if it’s related to the McDonalds compromise? Thanks, @falconsview]

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

One response so far

One Response to “Customer information stolen”

  1. Security Skepticon 14 Dec 2010 at 10:52 am

    A local heavy metal radio station DJ commented on the Gawker compromise, saying, “Jeez if these guys are hacked, what hope is there for the rest of us?”

    I wanted to call in and say “The attack surface is the same for us all. Learn from their embarrassing incident!”

    The opportunity to mis-configure, overlook a necessary security setting, or leave a vulnerable default setting in place is the same for us all. We’re all on the web to publish content, not to play cat and mouse with miscreants and criminals. The folks at Gawker are no different from the majority of folks with web presence. They just fell in the cross hairs this time.

    PCI is criticized constantly for its heavy-handedness and burdensome cost to businesses that must comply. It’s not clear that Gawker, McDonald’s, Walgreens or DeviantArt might have dodged the bullet if they were forced to comply with PCI, but thousands of folks are now at risk – and more will follow – because we don’t have adequate protections in place wherever personal identifying information of any kind is stored.

%d bloggers like this: