Hackers have recently breached two high profile sites and user credentials have been stolen. Forbes announced on its Facebook page that it was “targeted in a digital attack” and that the site was “compromised.” The result was that the hackers stole over 1 million account records. At around the same time Kickstarter also posted a blog entry reporting “that hackers had sought and gained unauthorized access” to some of its customers’ data.
The attack on Forbes.com seems to have been carried out by the Syrian Electronic Army (SEA). The hacktivists subsequently published a database of email addresses and passwords for 1,071,963 accounts. Forbes says that the passwords were encrypted, however the site “strongly encourage Forbes.com readers to change their passwords.” The disclosure notification went on to say, “The email address for anyone registered with Forbes.com has been exposed. Please be wary of emails that purport to come from Forbes, as the list of email addresses may be used in phishing attacks.”
Kickstarter found out about the breach to its systems when law enforcement officials contacted it and pointed out what the hackers had been doing. According to Kickstarter, “No credit card data of any kind was accessed by hackers. There is no evidence of unauthorized activity of any kind on all but two Kickstarter user accounts.”
However user account information including usernames, email addresses, mailing addresses, phone numbers, and encrypted passwords were accessed. Kickstarter doesn’t actually say if it used a salt for its password encryption, however it does state that users should change their password as it is possible that “a malicious person with enough computing power” could guess and crack an encrypted password, particularly a weak or obvious one.
It looks as Forbes.com may have used the Portable PHP password hashing framework (phpass) and according to Sophos that means the passwords where hashed using a 6 byte random salt and 8192 iterations of the MD5 hash. The repeated use of the MD5 hash is there intentionally to stretch out the computation time needed for a brute force attack.
As is the norm, both sites are sorry and apologize for what happened and everyone is promising to tighten up security.