Hackers have stolen information relating to around 45 million accounts from VerticalScope, a Canadian media company that runs numerous support forums on various topics. @DFMag has the following comments from three cybersecurity experts, who’ve worked in the field for years.
Lee Munson, Security Researcher at Comparitech.com:
“While there is little information about how the breach was orchestrated, there does appear to be some news about how VerticalScope Inc. was storing its customers’ passwords.
“Unfortunately, that news does not look good – it appears as though the majority of user credentials were subject to MD5 hashing, something that is hardly considered secure in this day and age.
“The fact that the stolen data is not yet on the dark web is largely irrelevant at this point in time as it is certainly available on the regular web. Considering the nature of the breached information, any potential damage has already been done.
“Potential victims will be pleased to hear that their financial data is reportedly secure but the combination of usernames, email addresses and passwords revealed in this breach may potentially be far more concerning, especially to anyone who has re-used their credentials across a number of forums of other online sites.
“Thus my advice with this breach, just like any other, is to change passwords immediately across all accounts that may be using the same credentials and to use different passwords for each account in the future, something made easy through the use of a password manager.”
Mark James, Security Specialist at ESET:
Any insight into the breach and the way the passwords were stored?
“Storing precious data in the cloud and keeping it safe is rapidly becoming a hit and miss affair. You are often presented with a simple choice of being part of a community or website or not. The options for security sadly are not a choice for you, that’s down to the owners or operators. There is without a doubt a massive amount of information waiting to be plundered by cyber pirates, also bear in mind that keeping the data safe is only half the job, if it does get plundered or compromised making sure it’s unusable should also be a major factor when storing said data. There are many good and indeed bad processes for the safe storage of passwords and other critical information.”
The details are not on the dark web yet, is this good news for victims?
“Sadly not, we have seen many instances where the data appears at a later time, sometimes even years later databases appear with private data hacked from various sites. As with all breaches, changing your password should be your priority, then the next thing you need to do is change any passwords that you have duplicated for other sites and get in the habit of using unique passwords for all future logins. Often in these cases headlines read “ only limited information was stolen ”, that same “limited” information will and can be used for further phishing attacks to harvest more of your personal details by basing an attack on some previously stolen info that could be used to build a trust relationship with the victim. Always remember to be very cautious about opening any attachments or following links from within emails.”
Jonathan Sander, VP of Product Strategy at Lieberman Software comments:
“As more and more sites are breached and passwords are stolen, the hope is that users are getting the message that password use is not OK. If a bad guy gets access to their sports forum account, they probably are only in danger of angering the folks in their local clubhouse with fraudulent posts. If they used the same password at their bank as that sports forum, however, then maybe they’ll get kicked out of their club when they can’t pay their dues when their account is drained of all its funds.”