Slashdot Mirror
As We Speak, Teen Social Site Is Leaking Millions Of Plaintext Passwords (arstechnica.com)
Dan Goodin, reporting for ArsTechnica: A social hangout website for teenage girls has sprung a leak that's exposing plaintext passwords protecting as many as 5.5 million user accounts. As this post went live, all attempts to get the leak plugged had failed. Operators of i-Dressup didn't respond to messages sent by Ars informing them that a hacker has already downloaded more than 2.2 million of the improperly stored account credentials. The hacker said it took him about three weeks to obtain the cache and that there's nothing stopping him or others from downloading the entire database of slightly more than 5.5 million entries. The hacker said he acquired the e-mail addresses and passwords by using a SQL injection attack that exploited vulnerabilities in the i-Dressup website. The hacker provided the 2.2 million account credentials both to Ars and breach notification service Have I Been Pwned?. By plugging randomly selected e-mail addresses into the forgotten password section of i-Dressup, both Ars and Have I Been Pwned? principal Troy Hunt found that they all were used to register accounts on the site. Ars then used the contact us page on i-Dressup to privately notify operators of the vulnerability, but more than five days later, no one has responded and the bug remains unfixed.
Just last week we had the half billion accounts from Yahoo! leaked and now this website, after being notified it has a problem, leaves things in place to continue leaking credentials.
Yeah, private industry is so great compared to government.
We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
How about not storing passwords in plaintext? That way, simple attack, or more sophisticated attack, you're not just handing them credentials carte blanche....
The good thing about private industry is that there are laws penalizing them for this kind of behavior,
Hogwash. Target settled with a $10 million payout: $10K per affected person. $10 million is less than the compensation package for Brian Cornell, CEO of Target, in 2015. That "penalty" barely ranks as an itch on the Target balance sheet.
Home Depot settled for $19.5 million. A bit better but nothing to write home about.
Penalties are supposed to hurt. They are supposed to be designed to either force or encourage better behavior. The above two examples do not fall into the category and from the look of things, nor do other penalties for data breaches.
We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
The real problem was not SQL vulnerabilities. Plain text passwords should never be transmitted to servers. They should be salted and hashed on the client. It should have been clear to anyone that bothered to look at the data being transmitted that this website had major security problems and was developed by clueless amateurs.
None of this is of any value if you don't give your kids access to your credit card.
My 16 year old daughter has had her own card since she was 10.
And if you do, then you're already exposed to bigger threats.
Like kids who have learned responsibility and basic financial management? Just make sure the limit is low, and let kids make mistakes and learn from them. Your kids won't grow up to be capable and responsible adults if you shelter them from reality and make every decision for them.
So then the hash becomes a plain text password?....