Scribd Reveals It Was Hacked, Asks Users To Change Their Passwords

← Back to Stories (view on slashdot.org)

Scribd Reveals It Was Hacked, Asks Users To Change Their Passwords

Posted by samzenpus on Thursday April 4, 2013 @10:32AM from the protect-ya-neck dept.

An anonymous reader writes "Scribd has revealed it was hacked earlier this week, in what it says appears to have been 'a deliberate attempt to access the email addresses and passwords of registered Scribd users.' The good news is that the company believes less than 1 percent of its users were potentially compromised in the attack, and it has emailed each and every one of them asking them to reset their password. The company has set up a Web form for users to check if they are amongst those affected. We recommend that regardless of what the Web form says, and even if you don't use your Scribd account regularly, you should probably change your password."

38 comments

Min score:

Reason:

Sort:

Access passwords? by Anonymous Coward · 2013-04-04 10:35 · Score: 1, Insightful

Scribd itself shouldn't be able to access anyone's passwords. Then no hacker could.
Salt and hash, people. How does anyone still not get this?
1. Re:Access passwords? by broggyr · 2013-04-04 10:45 · Score: 4, Informative
  
  According to TFA, they were salted and hashed.
  
  --
  Irony? Yea, it's like goldy and bronzy, only it's made of iron!
2. Re:Access passwords? by Spy+Handler · 2013-04-04 10:45 · Score: 2
  
  i RTFA and it says that the passwords *were* salted and hashed. So apparently the hackers got users' email addresses and the password hash.
  Still, if your website was hacked and people found out about it, it makes sense to tell people to change their password.
3. Re:Access passwords? by Anonymous Coward · 2013-04-04 10:53 · Score: 0
  
  So this is just what is referred to as "an abundance of caution".
4. Re:Access passwords? by icebike · 2013-04-04 11:10 · Score: 1
  
  Email addresses shouldn't be stored in clear text either.
  
  --
  Sig Battery depleted. Reverting to safe mode.
5. Re:Access passwords? by jcaplan · 2013-04-04 11:29 · Score: 1
  
  If a site encrypts user's email addresses, they also have to store the key in order to decrypt the email addresses. Once the site has been cracked badly enough to retrieve the password hash file, the key needed to decrypt the emails would likely also be vulnerable, so encrypting user email addresses typically adds little security. The nice thing about hashing passwords is that there is no key to store or be discovered.
6. Re:Access passwords? by preaction · 2013-04-04 11:38 · Score: 1
  
  Why does the site need to be able to decrypt the e-mail address for any other reason than marketing or opt-in notifications? A salted/hashed e-mail address could be used just fine for logging in and sending password reset e-mails (in fact, I plan to do exactly that to avoid exactly this from happening).
7. Re:Access passwords? by Anonymous Coward · 2013-04-04 11:54 · Score: 0
  
  Maybe. Salting and hashing means it takes a lot more time to recover passwords, which means there's time to change them. But the attack can still be done offline at great speed, so within, say, a year, the attackers could probably crack all of them (maybe except for the 20+ character ones generated by password managers or similar methods). To be safe, the passwords should probably be changed within a week or a month at most, especially for weaker ones which could be broken more quickly.
8. Re:Access passwords? by Anonymous Coward · 2013-04-04 13:31 · Score: 0
  
  How are you going to send an email to an email address that you've salted and hashed? If you can recover the email address then anybody that has access to the system can do the same.
9. Re:Access passwords? by Anonymous Coward · 2013-04-04 13:53 · Score: 0
  
  If password recovery is the only instance where email is sent to users, this should work. Login checks for matching email hash and password hash, recovery email is sent to any address with matching email hash. Of course for recovery you still need to send the email address to the server in plaintext, and it will be hard to delete all traces of it on the server.
10. Re:Access passwords? by Jah-Wren+Ryel · 2013-04-04 18:27 · Score: 1
  
  According to TFA, they were salted and hashed.
  Mhhm um umh! I loves me some salted password hash browns!
  
  --
  When information is power, privacy is freedom.
11. Re:Access passwords? by Anonymous Coward · 2013-04-04 19:25 · Score: 1
  
  In which case you shouldn't change your scribd passwords till you're sure that Scribd isn't still vulnerable to the hackers. Otherwise it could just be a waste of your time.
  
  This assumes you've picked decent passwords and don't reuse the passwords.
  
  If you reuse passwords, priority should be changing them everywhere else, not scribd.
12. Re:Access passwords? by wonkey_monkey · 2013-04-04 19:32 · Score: 2
  
  If password recovery is the only instance where email is sent to users, this should work.
  And what about when the database gets hacked and the admins need to send email to the affected users asking them to change their passwords?
  
  --
  systemd is Roko's Basilisk.
13. Re:Access passwords? by RabidReindeer · 2013-04-04 23:44 · Score: 1
  
  If password recovery is the only instance where email is sent to users, this should work. Login checks for matching email hash and password hash, recovery email is sent to any address with matching email hash. Of course for recovery you still need to send the email address to the server in plaintext, and it will be hard to delete all traces of it on the server.
  You really don't want to do that. Unless you have a perfect hash, you have the risk of hash collisions, i. e., false matches. Hash on password is relatively safe. Hash on user identity is not. You could end up sending information to the wrong person. The odds are against it, but Murphy sneers at odds.
14. Re:Access passwords? by Ash-Fox · 2013-04-04 23:47 · Score: 1
  
  I thought we used Twitter or Google+ to communicate with users now?
  
  --
  Change is certain; progress is not obligatory.
15. Re:Access passwords? by tlhIngan · 2013-04-05 03:20 · Score: 1
  
  Why does the site need to be able to decrypt the e-mail address for any other reason than marketing or opt-in notifications? A salted/hashed e-mail address could be used just fine for logging in and sending password reset e-mails (in fact, I plan to do exactly that to avoid exactly this from happening).
  So how do you notify someone that you've been hacked? And what if you have two people whose emails hash to the same value? (It does happen, and while it's SUPPOSED to be unlikely, "unlikely" has a nasty chance of being "will definitely happen" in short order).
  The latter part is particularly important during password reset emails - if you chose a system where the email hash and password hash have to be identical (leaving out the possibility that you can have users whose emails and passwords both hash the same), how do you differentiate? You could inadvertently reset the wrong account since you have two identical email hashes. (Try to be smart and concatenate both email and password and hash that? well, how do you do password recovery when you only have half the input data?).
  No, the only way to do it is to encrypt the email addresses. Use asymmetric encryption like RSA or ECC (though obey limitations of ECC since you can inadvertently reveal the key - a la PS3 hack). The server holds the public key, you hold the private.
  To verify emails, you encrypt the address with the public key and compare the ciphertext with what's in the database. Then just do a lookup with the enciphered email and hashed password.
  If the admin needs access to the email, they have the private key and can decrypt the email address. The server never stores the private key.
  If a password recovery is needed, you encrypt the email with the public key and compare in the database
Bob's Geocities Page announces by Anonymous Coward · 2013-04-04 10:49 · Score: 1

It hasn't been hacked, and it's four visitors this past year don't need to change their passwords.
1. Re:Bob's Geocities Page announces by Anonymous Coward · 2013-04-04 11:07 · Score: 0
  
  Wait, Geocities is back? How is this not the real news here?!
The problem isn't the scribd passwords. by Anonymous Coward · 2013-04-04 11:07 · Score: 0

The problem is a lot of people use the same e-mail address and passwords for many, many sites. Hell, a lot of people use their e-mail password as their site password.
Won't someone please think of the kittens? by SuperBanana · 2013-04-04 11:19 · Score: 5, Interesting

Every time someone uploads a PDF to behind scribd's stupid registration-required-to-download-so-I-can-see-it-in-something-bigger-than-a-porthole wall, His Noodliness kills a kitten.
Seriously, people. There are plenty of places you can upload ANY file to, where only YOU will have to register (and some, even, where you don't!) With Firefox now able to parse PDFs in-browser, there is little excuse for scribd to exist.
Let's all take this breakin as a great reason to let them head off into the sunset.

--
Please help metamoderate.
1. Re:Won't someone please think of the kittens? by Anonymous Coward · 2013-04-04 11:41 · Score: 0
  
  All good things will get bad.
  All bad things will get worse.
  This is why we endlessly rewrite software. ...and this is why nothing ever works.
2. Re:Won't someone please think of the kittens? by Anonymous Coward · 2013-04-04 12:20 · Score: 0
  
  Exactly. scribd sucks the moon balls
3. Re:Won't someone please think of the kittens? by Anonymous Coward · 2013-04-04 12:42 · Score: 0
  
  Scribe is useful to upload PDFs with URLs, Google counts them as backlinks.
  Free SEO!
4. Re:Won't someone please think of the kittens? by Anonymous Coward · 2013-04-04 22:16 · Score: 0
  
  I use www.bugmenot.com for when I need to go on scribd, quora etc. It has accounts for most sites I don't.
5. Re:Won't someone please think of the kittens? by jeffmeden · 2013-04-05 02:19 · Score: 3, Interesting
  
  Every time someone uploads a PDF to behind scribd's stupid registration-required-to-download-so-I-can-see-it-in-something-bigger-than-a-porthole wall, His Noodliness kills a kitten.
  Seriously, people. There are plenty of places you can upload ANY file to, where only YOU will have to register (and some, even, where you don't!) With Firefox now able to parse PDFs in-browser, there is little excuse for scribd to exist.
  Let's all take this breakin as a great reason to let them head off into the sunset.
  Wish I could mod you to 1,000. Scribd is the biggest solution looking for a problem i have seen in a long time. Have a PDF to share? Put it on a fucking web server, and let the browser download it (even the terrible adobe reader plugin managed to get search to work, but of course scribd can't figure it out). It's not there to protect copyrighted material, it's there to try to create a userbase where one shouldn't have to exist.
  I set up a junk scribd username/password a while ago to see some content. If a hacker got hold of it, they are going to get what they deserve if they use it to log in. Scribd is a pitiful premise, executed even more pitifully; have all the fun you want, hackers!
Gmail calls it spam by Nedmud · 2013-04-04 11:39 · Score: 1

The slightly concerning thing is that the notice email I got was in my Spam folder. I checked the source carefully and the password reset link appeared to be legitimate. So I've used it (entering my email address only). The next email was also marked as Spam, with GMail saying that a lot of mail received from postmaster.scribd.com is spam.
Has anyone got any thoughts on this? Has scribd done something dumb in the past? Has their mail systems been compromised too? Is there a concerted effort to fool GMail into treating these password emails as spam?
1. Re:Gmail calls it spam by Anonymous Coward · 2013-04-04 12:19 · Score: 0
  
  Have enough GMail users who got such notice clicked on "This is spam!" button?
2. Re:Gmail calls it spam by Anonymous Coward · 2013-04-04 13:25 · Score: 0
  
  A lot of email has been mislabeled as spam, lately. It's not just Scribd.
3. Re:Gmail calls it spam by Anonymous Coward · 2013-04-04 13:56 · Score: 0
  
  Why don't you use an email client with a spam filter that you control?
Don't Just Change your Scribd Password by Jah-Wren+Ryel · 2013-04-04 12:13 · Score: 1

Chances are this hack was not about getting into people's scribd accounts. It was about getting into their email accounts (and from there into any other site associated with that email address).
What they should be telling people is not only to change their scribd password, but even more importantly, if you used the same password for scribd as you do you for your email account, you need to change the password on your email account immediately.

--
When information is power, privacy is freedom.
1. Re:Don't Just Change your Scribd Password by Kozz · 2013-04-04 14:37 · Score: 1
  
  ... if you used the same password for scribd as you do you for your email account, you need to change the password on your email account immediately.
  If you use the same password for scribd and your email account AND you're reading this comment, you're probably lost.
  Here, friend. Maybe you'd feel more comfortable here, or maybe here or even here. (after changing your passwords, of course)
  
  --
  I only post comments when someone on the internet is wrong.
WTF... by fuzzyfuzzyfungus · 2013-04-04 13:03 · Score: 2

Why does this 'Scribd' bullshit even exist?
A revolutionary technique exists for putting 'pdf' documents on an 'http' server, that doesn't involve flash, registration, or any other bullshit. What, exactly, is the redeeming value here?
1. Re:WTF... by Anonymous Coward · 2013-04-04 14:00 · Score: 0
  
  It's anonymous and it doesn't get as many takedown notices as www-hosts or filehosts, so the PDFs are likely to last longer. And it's searchable.
2. Re:WTF... by jma05 · 2013-04-04 19:14 · Score: 1
  
  Also, Scribd loads pages just around the page you are reading. Useful on slower, metered connections for large PDFs. Registration requirement is still annoying of course.
Agreed by Anonymous Coward · 2013-04-04 13:25 · Score: 0

Scribd provides zero additional value beyond a simple PDF on a file server. When I have the unfortunate occasion to end up in a Scribd document I close that tab and reconsider whether I should have any further involvement with the subject.
1. Re:Agreed by Anonymous Coward · 2013-04-04 21:11 · Score: 0
  
  Seconded. Why is there Scribd? It adds nothing. It makes the world a worse place.
unhelpful response by Anonymous Coward · 2013-04-04 23:29 · Score: 0

I sent them an email asking 3 simple questions, but their response did not answer any of them. From the wording it appears that a human read my question and responded, but did not seem to understand or care about my questions.
AMERICAN GOVERNMENT AT WORK by Anonymous Coward · 2013-04-10 20:12 · Score: 0

WAKE UP PEOPLE! THIS IS THE USA GOVERNMENT AT WORK. They are trying to rid all this information. The end of days is coming, they are in control. How is it such a coincidence that 2013 is the year Scribd gets hacked? This is not a coincidence, this is a targeted attack by USA "government" aka Satan's puppets. Facebook is the same. All that information can be taken from the owners of Facebook within hours if the USA government really wanted it...