This is something that is hammered at over and over in the comments at the end of the original article, as well as here on/. They apparently did no research into virtualization before launching into this ill-advised kludge. It took them so long to figure out that they were using the wrong technology, they could have saved themselves a ton of work just by doing some rudimentary investigation/evaluation of multiple virtualization methods before going down the VMWare Server road. There are better "free" options than the one they chose, and probably some more appropriate options than the BSD Jails solution they eventually used. Or they could have paid a consultant to advise them in the first place if they weren't such cheapskates. I'm a notorious skinflint myself, but I know that doing your homework in advance is a better use of resources than the trial-and-error fiasco they endured. And they did this in a production environment with their customers' live data! Something tells me this story will not drive new business to their door.
But a clear waste of time. The WSJ article is only four paragraphs long and hasn't been updated since it was originally posted. The CNET article from the main/. post has lots more detail, includes complete quotes from both the SC AG and Craigslist CEO, and shows that it was updated with new information twice just this morning.
Go to the CNET story and save yourself a lot of trouble.
Ever hear of red light cameras that take a photo of your license plate and send you a ticket in the mail if you run a red light? Ever hear about how many cities calibrate their yellow light timers to 4 seconds instead of the legally required 6 seconds just so that camera will take more photos and generate more ticket revenue for the city? Who certifies these cameras?
You're right. $10,000 is not a deterrent. People still drive drunk. The money it costs them doesn't change their behavior at all. The AA meetings and alcohol awareness classes don't change more than 10% of the people ordered into these programs. 90% of them will drink again. 50% of those will drive drunk again. A drunk driver can still kill you, no matter how much money he or she has already paid to the government as a consequence of behavior. That's why the police and the courts love DUI cases, the more the better. Multiple offenders pay even more money into the general fund.
But your insurance company probably doesn't value your life nearly as much as you do. $10,000 is probably all they'll pay out if you end up in the morgue after an accident, unless you have a very generous policy.
Bingo! Of course we live in a police state! That's why we have red light cameras that cheat (and the companies that make these cameras sell them to cities with promises of enormous revenue generated through increased traffic tickets) and breathalyzer machines that cheat because DUI convictions are a huge source of revenue, so politicians don't have to raise taxes to pay their own salaries and fund the government.
DUI laws and their enforcement are important, but the original post makes a valid point. There is a lot of money to be made from DUI arrests (a first offense can cost the driver as much as $10,000 in fines and penalties alone, in addition to drivers license suspension and increased insurance premiums). Local governments (city/county) make a shitload of money this way, so there is every incentive to lower the BAC limit even more, or "tweak" the code of a breathalyzer to ensure a high test result as often as possible, rounding up a result before generating the output rather than displaying the true result.
Like simple possession of marijuana, these DUI cases are the "low-hanging fruit" that police love to harvest. It's a hell of a lot easier (not to mention safer) to spend your hours on patrol arresting drunks and stoners than risking your life chasing down dangerous rapists, thugs and murderers. Violent career criminals tend to not have jobs or steady income, so they don't even generate much revenue for your particular jurisdiction when arrested; they only cost the taxpayers more money to incarcerate. DUI cases are much easier to prosecute because the defendents almost always plead guilty or no contest, pay their fines, and go back to work to pay their taxes. Gangstas, rapists and murderers rarely ever pay the state back, and only cost the government more money to imprison, so we're all better off just letting them back on the streets.
It already is. California has a law (SB 1386) that has been in effect since 2003 concerning the responsibility of companies and government agencies to keep their databases secure and to publicly report any breach of confidential personal information within 30 days of the incident.
There are no fines imposed, but the public humiliation of having to admit that they lost data can cost a company plenty. And the company is held responsible for making sure that the people whose information was lost/stolen/compromised are fully compensated for any money they lost as a result of the breach. And they have to alert all the credit reporting agencies that everyone in the database whose information was compromised gets a Free Credit Report and can freeze their own credit report from all public access for any length of time until they choose to lift the freeze.
That by itself is a pretty serious penalty. If you want to impose a fine for every SSN compromised, every company that has any kind of a breach is going to go bankrupt. As if we don't have enough companies going bankrupt just as a consequence of the lousy economy, let alone due to a security breach.
What's so hard about virtualization? No, Joe Luser probably wouldn't be able to grasp this concept right out of the box, but this is the wave of a future that isn't really all that far away. It should soon be relatively easy and painless to click on an icon from your desktop (any desktop, Gnome, KDE, Windows, OS X, etc.) that will launch a virtual OS in the background to run whatever Windows app you want in the foreground. But it won't be free. You'll have to pay Microsoft for a license to run that app, and it is up to them to decide if you're going to pay once for a perpetual license, or pay an annual subscription fee to use the latest release, or "pay-by-the-click" to charge your account on a per-use basis.
Far more likely, though, you'll just launch your browser if you want to run a Windows app from your Linux box. Browse to Microsoft's Windows Azure/Live/Strata site (or whatever they eventually decide to call it), log into your Windows Live account and choose your preferred Windows application from a menu and run it from the cloud. Save to your SkyDrive, then go back to Linux where you can be happy again.
I remember only paying $75 for my first version of OS/2 Warp 3.0. Then, a few years later, I was willing to pay up to $119 to upgrade to OS/2 Warp 4.0 to avoid having to use Windows on my home PC the way I was forced to use it at work. I can't remember any of my OS/2 colleagues paying any more than that. Where did you get those pricing figures?
Did you even RTFA? They didn't have to crack any passwords at all. Most of the bank account usernames, account numbers and passwords were simply provided by the clueless users who logged into their accounts over the internet. Torpig just forwarded the user login ID and password credentials submitted through the browser to the Mebroot command and control computer, using the "Man-in-the-browser" phishing technique described in Section 2 and Section 6.1. There's no sense wasting precious hacker time using brute force attacks to crack passwords that aren't even encrypted.
Something not mentioned is that this botnet can only infect Windows XP and earlier Microsoft OS versions. Clueless Windows users have hammered Vista over the User Account Control feature, but this is one of the primary security enhancements that prevents such botnets from 0wning your Vista system. Windows 7 is even more secure. Running Linux or the MacOS under a standard user accounts makes sense to those of us who know how and why these things are important, but many home computer users (and even business users, who should know better) run their XP systems under administrator credentials without thinking about how vulnerable this makes them to "drive-by" attacks like the Torpig botnet. Even keyloggers are able to install themselves only because XP users are logging in as Admins by default.
"Best Practices" are almost never applied to home computer users or small businesses that aren't aware of the dangers of admin permissions.
Spelling Nazi corrected subject line (fixed that for ya).
If you haven't read any of J.G. Ballard's work, you can't really apreciate what he did for the field. He was one of the vanguards of the British New Wave/New Worlds movement in the 1960s who re-defined science fiction through narrative experimentation.
Recommended works include Vermillion Sands, which was a truly mind-bending collection of connected short stories; The Drowned World set in a post-apocalyptic future like no other; Concrete Island, which is an urban nightmare almost too strange to describe in a few words, as is his more famous novel Crash, about the most grotesque sexual fetish anyone has ever come up with, and was a perfect vehicle for David Cronenberg to adapt for the screen. "Auto-eroticism" doesn't even begin to describe it.
And, of course, there is his non-sf semi-autobiographical novel Empire of the Sun, a great read by anyone's measure, and probably his most accessible book, which explains why it is the only one of his works Steven Spielberg could ever have filmed.
No, it is up to the creator to decide how to distribute his/her work. Note Cory Doctorow's stand on the matter at http://craphound.com./ Cory releases all of his work under a Creative Commons (copyleft) license, so anyone at all can download his work for their own pleasure without paying him one single penny. How the hell does he make a living? Because there are enough of us who feel the work is valuable and are willing to pay money to him and his publisher for it. His latest novel is still on the New York Times bestseller list and is now in its 8th printing, has been nominated for both the Hugo and Nebula awards, and has made him more money than any of his previous books.
Also take note of the policies at Baen Books http://www.baen.com/ a longtime publisher of science fiction that began posting the entire text of some of their books online for free a few years ago. They would let readers download and read the first book of a series for free, and then saw sales skyrocket for other books in the same series. You can purchase a hardcover copy of some of David Weber's Honor Harrington novels at Barnes and Noble, and in the back of the book you will find a CD-ROM containing the entire text of all the earlier books in the series. And you can read them for free. Baen is counting on you to enjoy them so that you will pay money for the next book in the series when it is published.
It may be counter-intuitive to 20th century MBAs, but this is a business model that works. Both TOR (which publishes Doctorow's books) and Baen Books are making money by giving away product for free. Radiohead made millions of dollars by allowing their fans to download their album "In Rainbows" on a PriceLine style "name your own price" model. Trent Reznor and Nine Inch Nails have a similar pricing scheme for their music and likewise are making lots of money by cutting the record labels and the RIAA out of the process.
When artists take control of their own work, they know how to sell it, market it and profit from it, even if that means giving it away for free.
Does this mean Verizon is going to have to stop advertising their service as "America's most reliable wireless network?" If they're leasing lines from AT&T, they are even more vulnerable if those leased lines aren't just redundant backup systems for their own network. This incident is exposing all kinds of "single points of failure" that a well-designed network should not have. What pointy-haired boss approved these plans anyway?
This is big news. The unreported part in the SF Bay Area is that they've now discovered more fiber cuts in Santa Cruz and Watsonville. Your posting was the first I've heard about any fiber cuts outside of California.
This definitely sounds like a coordinated effort either among CWA Union activists who know where the fiber runs and how to get access to it, or very organized vandals with inside information in how the network is configured.
While I don't wish anyone harm, I do have to agree with you about union activist vandalism. My wife worked for over 10 years as a nurse manager for a large hospital group with multiple campuses, and the SEIU union (now split into two factions, SEIU and HCW) staged labor actions EVERY SINGLE YEAR, even when they HAD a valid contract in place. One time, they visited the houses of nurses who had confirmed to management that they were going to cross the picket lines to report to work and slashed the tires of their cars on the first day of the walkout to make sure they couldn't get to the hospital.
Another time, they set fire to a trash dumpster between two hospital buildings, forcing an entire nursing wing to be evacuated and the patients, some in critical condition, had to be relocated to other areas. And of course, the place was being staffed by expensive travelling nurses, who were just getting oriented to the hospital and its layout since the regular staff were either on the picket lines or otherwise unable to report to work (their tires were slashed, or they received threatening phone calls by union activists, etc.)
They staged daily press conferences with the TV/radio/print media shouting about how they were doing this to protect the rights of the hospital's patients ("Patients before Profits" was their slogan, even though the hospital group is a not-for-profit corporation). In fact, their vandalism did more to endanger the lives of patients than to protect their interests. To be fair, the nurses were generally not involved in these actions. These things are usually done by professional union activists, who have no other jobs except to enforce the orders of the union bosses.
From the early part of the last century, Unions have been run by gangsters, and they use gangster tactics to get what they want from management. The Teamsters were formed by gangsters after the repeal of prohibition to control the liquor market by controlling the trucking and distribution of distilled spirits. And the Teamsters are the most powerful union. Most of the other unions (SEIU included), take their marching orders from the gangsters who run the Teamsters.
Yep, AT&T confirms someone climbed down an unsecured manhole to cut the cable in San Jose and in Gilroy. These things don't accidentally cut themselves, so yeah, I think it was probably someone who knew they could do a lot of damage with very little effort, who knew where the manholes were easily accessible and knew which cables to cut.
Of course they're going to blame malware or a third party. They just did a complete re-design of their web-based email system about three weeks ago. System was down for maintenance for a few hours late one night while they moved everything to the new servers. All Comcast customers were notified about the change about a week in advance. I think they sent two or three messages, boasting about all the great changes that were in store for us on the horizon after the new mail system was in place. Chances are the target addresses for the notification message was hacked. Comcast has way more than just 8000 customers, so they could have sent the message out in small groups of, say, 8,000 customers, and one of the transmissions was intercepted.
Just speculating here, but the timing of this breach is suspicious.
Why take any chances? Just assume your account has been compromised. Whether or not you are a victim, you should change your password today. That takes care of it, without you having to do any follow-up research.
Also, make a habit of using encryption for all your email correspondence, regardless of sensitivity. If all your communication is encrypted, it doesn't matter how important or private it is, it will be protected.
Obviously, it's still out there (look down below in this thread). I remember I changed my comcast password last summer, when they previously announced a similar problem. Now, just to be safe, I'm changing it about every three months, just as I do my work account. You can't be too careful with this kind of stuff, particularly when the gatekeepers of your private information cannot be trusted to safeguard it as securely as I do on my own network.
Slashdot Mirror
"You're either with us, or you're against us." No middle ground there.
Um, are you serious? Hilary Clinton is Secretary of State .
This is something that is hammered at over and over in the comments at the end of the original article, as well as here on /. They apparently did no research into virtualization before launching into this ill-advised kludge. It took them so long to figure out that they were using the wrong technology, they could have saved themselves a ton of work just by doing some rudimentary investigation/evaluation of multiple virtualization methods before going down the VMWare Server road. There are better "free" options than the one they chose, and probably some more appropriate options than the BSD Jails solution they eventually used. Or they could have paid a consultant to advise them in the first place if they weren't such cheapskates. I'm a notorious skinflint myself, but I know that doing your homework in advance is a better use of resources than the trial-and-error fiasco they endured. And they did this in a production environment with their customers' live data! Something tells me this story will not drive new business to their door.
But a clear waste of time. The WSJ article is only four paragraphs long and hasn't been updated since it was originally posted. The CNET article from the main /. post has lots more detail, includes complete quotes from both the SC AG and Craigslist CEO, and shows that it was updated with new information twice just this morning.
Go to the CNET story and save yourself a lot of trouble.
Ever hear of red light cameras that take a photo of your license plate and send you a ticket in the mail if you run a red light? Ever hear about how many cities calibrate their yellow light timers to 4 seconds instead of the legally required 6 seconds just so that camera will take more photos and generate more ticket revenue for the city? Who certifies these cameras?
Right. No one does.
You're right. $10,000 is not a deterrent. People still drive drunk. The money it costs them doesn't change their behavior at all. The AA meetings and alcohol awareness classes don't change more than 10% of the people ordered into these programs. 90% of them will drink again. 50% of those will drive drunk again. A drunk driver can still kill you, no matter how much money he or she has already paid to the government as a consequence of behavior. That's why the police and the courts love DUI cases, the more the better. Multiple offenders pay even more money into the general fund.
But your insurance company probably doesn't value your life nearly as much as you do. $10,000 is probably all they'll pay out if you end up in the morgue after an accident, unless you have a very generous policy.
Bingo! Of course we live in a police state! That's why we have red light cameras that cheat (and the companies that make these cameras sell them to cities with promises of enormous revenue generated through increased traffic tickets) and breathalyzer machines that cheat because DUI convictions are a huge source of revenue, so politicians don't have to raise taxes to pay their own salaries and fund the government.
But they raise your taxes anyway.
DUI laws and their enforcement are important, but the original post makes a valid point. There is a lot of money to be made from DUI arrests (a first offense can cost the driver as much as $10,000 in fines and penalties alone, in addition to drivers license suspension and increased insurance premiums). Local governments (city/county) make a shitload of money this way, so there is every incentive to lower the BAC limit even more, or "tweak" the code of a breathalyzer to ensure a high test result as often as possible, rounding up a result before generating the output rather than displaying the true result.
Like simple possession of marijuana, these DUI cases are the "low-hanging fruit" that police love to harvest. It's a hell of a lot easier (not to mention safer) to spend your hours on patrol arresting drunks and stoners than risking your life chasing down dangerous rapists, thugs and murderers. Violent career criminals tend to not have jobs or steady income, so they don't even generate much revenue for your particular jurisdiction when arrested; they only cost the taxpayers more money to incarcerate. DUI cases are much easier to prosecute because the defendents almost always plead guilty or no contest, pay their fines, and go back to work to pay their taxes. Gangstas, rapists and murderers rarely ever pay the state back, and only cost the government more money to imprison, so we're all better off just letting them back on the streets.
It already is. California has a law (SB 1386) that has been in effect since 2003 concerning the responsibility of companies and government agencies to keep their databases secure and to publicly report any breach of confidential personal information within 30 days of the incident.
Full text of the bill is here: http://info.sen.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_bill_20020926_chaptered.html
There are no fines imposed, but the public humiliation of having to admit that they lost data can cost a company plenty. And the company is held responsible for making sure that the people whose information was lost/stolen/compromised are fully compensated for any money they lost as a result of the breach. And they have to alert all the credit reporting agencies that everyone in the database whose information was compromised gets a Free Credit Report and can freeze their own credit report from all public access for any length of time until they choose to lift the freeze.
That by itself is a pretty serious penalty. If you want to impose a fine for every SSN compromised, every company that has any kind of a breach is going to go bankrupt. As if we don't have enough companies going bankrupt just as a consequence of the lousy economy, let alone due to a security breach.
This was the University of California at Berkeley. The only OS they are permitted to run is the one they developed in-house: BSD, of course.
They were running BSD, weren't they? Why the hell would they want to run anything else if they had concerns about security?
What's so hard about virtualization? No, Joe Luser probably wouldn't be able to grasp this concept right out of the box, but this is the wave of a future that isn't really all that far away. It should soon be relatively easy and painless to click on an icon from your desktop (any desktop, Gnome, KDE, Windows, OS X, etc.) that will launch a virtual OS in the background to run whatever Windows app you want in the foreground. But it won't be free. You'll have to pay Microsoft for a license to run that app, and it is up to them to decide if you're going to pay once for a perpetual license, or pay an annual subscription fee to use the latest release, or "pay-by-the-click" to charge your account on a per-use basis.
Far more likely, though, you'll just launch your browser if you want to run a Windows app from your Linux box. Browse to Microsoft's Windows Azure/Live/Strata site (or whatever they eventually decide to call it), log into your Windows Live account and choose your preferred Windows application from a menu and run it from the cloud. Save to your SkyDrive, then go back to Linux where you can be happy again.
I remember only paying $75 for my first version of OS/2 Warp 3.0. Then, a few years later, I was willing to pay up to $119 to upgrade to OS/2 Warp 4.0 to avoid having to use Windows on my home PC the way I was forced to use it at work. I can't remember any of my OS/2 colleagues paying any more than that. Where did you get those pricing figures?
Did you even RTFA? They didn't have to crack any passwords at all. Most of the bank account usernames, account numbers and passwords were simply provided by the clueless users who logged into their accounts over the internet. Torpig just forwarded the user login ID and password credentials submitted through the browser to the Mebroot command and control computer, using the "Man-in-the-browser" phishing technique described in Section 2 and Section 6.1. There's no sense wasting precious hacker time using brute force attacks to crack passwords that aren't even encrypted.
Something not mentioned is that this botnet can only infect Windows XP and earlier Microsoft OS versions. Clueless Windows users have hammered Vista over the User Account Control feature, but this is one of the primary security enhancements that prevents such botnets from 0wning your Vista system. Windows 7 is even more secure. Running Linux or the MacOS under a standard user accounts makes sense to those of us who know how and why these things are important, but many home computer users (and even business users, who should know better) run their XP systems under administrator credentials without thinking about how vulnerable this makes them to "drive-by" attacks like the Torpig botnet. Even keyloggers are able to install themselves only because XP users are logging in as Admins by default.
"Best Practices" are almost never applied to home computer users or small businesses that aren't aware of the dangers of admin permissions.
As I recall, he was referring to Digg users in general.
Spelling Nazi corrected subject line (fixed that for ya).
If you haven't read any of J.G. Ballard's work, you can't really apreciate what he did for the field. He was one of the vanguards of the British New Wave/New Worlds movement in the 1960s who re-defined science fiction through narrative experimentation.
Recommended works include Vermillion Sands, which was a truly mind-bending collection of connected short stories; The Drowned World set in a post-apocalyptic future like no other; Concrete Island, which is an urban nightmare almost too strange to describe in a few words, as is his more famous novel Crash, about the most grotesque sexual fetish anyone has ever come up with, and was a perfect vehicle for David Cronenberg to adapt for the screen. "Auto-eroticism" doesn't even begin to describe it.
And, of course, there is his non-sf semi-autobiographical novel Empire of the Sun, a great read by anyone's measure, and probably his most accessible book, which explains why it is the only one of his works Steven Spielberg could ever have filmed.
No, it is up to the creator to decide how to distribute his/her work. Note Cory Doctorow's stand on the matter at http://craphound.com./ Cory releases all of his work under a Creative Commons (copyleft) license, so anyone at all can download his work for their own pleasure without paying him one single penny. How the hell does he make a living? Because there are enough of us who feel the work is valuable and are willing to pay money to him and his publisher for it. His latest novel is still on the New York Times bestseller list and is now in its 8th printing, has been nominated for both the Hugo and Nebula awards, and has made him more money than any of his previous books.
Also take note of the policies at Baen Books http://www.baen.com/ a longtime publisher of science fiction that began posting the entire text of some of their books online for free a few years ago. They would let readers download and read the first book of a series for free, and then saw sales skyrocket for other books in the same series. You can purchase a hardcover copy of some of David Weber's Honor Harrington novels at Barnes and Noble, and in the back of the book you will find a CD-ROM containing the entire text of all the earlier books in the series. And you can read them for free. Baen is counting on you to enjoy them so that you will pay money for the next book in the series when it is published.
It may be counter-intuitive to 20th century MBAs, but this is a business model that works. Both TOR (which publishes Doctorow's books) and Baen Books are making money by giving away product for free. Radiohead made millions of dollars by allowing their fans to download their album "In Rainbows" on a PriceLine style "name your own price" model. Trent Reznor and Nine Inch Nails have a similar pricing scheme for their music and likewise are making lots of money by cutting the record labels and the RIAA out of the process.
When artists take control of their own work, they know how to sell it, market it and profit from it, even if that means giving it away for free.
Does this mean Verizon is going to have to stop advertising their service as "America's most reliable wireless network?" If they're leasing lines from AT&T, they are even more vulnerable if those leased lines aren't just redundant backup systems for their own network. This incident is exposing all kinds of "single points of failure" that a well-designed network should not have. What pointy-haired boss approved these plans anyway?
This is big news. The unreported part in the SF Bay Area is that they've now discovered more fiber cuts in Santa Cruz and Watsonville. Your posting was the first I've heard about any fiber cuts outside of California.
This definitely sounds like a coordinated effort either among CWA Union activists who know where the fiber runs and how to get access to it, or very organized vandals with inside information in how the network is configured.
While I don't wish anyone harm, I do have to agree with you about union activist vandalism. My wife worked for over 10 years as a nurse manager for a large hospital group with multiple campuses, and the SEIU union (now split into two factions, SEIU and HCW) staged labor actions EVERY SINGLE YEAR, even when they HAD a valid contract in place. One time, they visited the houses of nurses who had confirmed to management that they were going to cross the picket lines to report to work and slashed the tires of their cars on the first day of the walkout to make sure they couldn't get to the hospital.
Another time, they set fire to a trash dumpster between two hospital buildings, forcing an entire nursing wing to be evacuated and the patients, some in critical condition, had to be relocated to other areas. And of course, the place was being staffed by expensive travelling nurses, who were just getting oriented to the hospital and its layout since the regular staff were either on the picket lines or otherwise unable to report to work (their tires were slashed, or they received threatening phone calls by union activists, etc.)
They staged daily press conferences with the TV/radio/print media shouting about how they were doing this to protect the rights of the hospital's patients ("Patients before Profits" was their slogan, even though the hospital group is a not-for-profit corporation). In fact, their vandalism did more to endanger the lives of patients than to protect their interests. To be fair, the nurses were generally not involved in these actions. These things are usually done by professional union activists, who have no other jobs except to enforce the orders of the union bosses.
From the early part of the last century, Unions have been run by gangsters, and they use gangster tactics to get what they want from management. The Teamsters were formed by gangsters after the repeal of prohibition to control the liquor market by controlling the trucking and distribution of distilled spirits. And the Teamsters are the most powerful union. Most of the other unions (SEIU included), take their marching orders from the gangsters who run the Teamsters.
Yep, AT&T confirms someone climbed down an unsecured manhole to cut the cable in San Jose and in Gilroy. These things don't accidentally cut themselves, so yeah, I think it was probably someone who knew they could do a lot of damage with very little effort, who knew where the manholes were easily accessible and knew which cables to cut.
If I had any mod points available, I'd flag you as off topic. You don't have to be a Libertarian to hate the government, but it helps.
Of course they're going to blame malware or a third party. They just did a complete re-design of their web-based email system about three weeks ago. System was down for maintenance for a few hours late one night while they moved everything to the new servers. All Comcast customers were notified about the change about a week in advance. I think they sent two or three messages, boasting about all the great changes that were in store for us on the horizon after the new mail system was in place. Chances are the target addresses for the notification message was hacked. Comcast has way more than just 8000 customers, so they could have sent the message out in small groups of, say, 8,000 customers, and one of the transmissions was intercepted.
Just speculating here, but the timing of this breach is suspicious.
Why take any chances? Just assume your account has been compromised. Whether or not you are a victim, you should change your password today. That takes care of it, without you having to do any follow-up research.
Also, make a habit of using encryption for all your email correspondence, regardless of sensitivity. If all your communication is encrypted, it doesn't matter how important or private it is, it will be protected.
Obviously, it's still out there (look down below in this thread). I remember I changed my comcast password last summer, when they previously announced a similar problem. Now, just to be safe, I'm changing it about every three months, just as I do my work account. You can't be too careful with this kind of stuff, particularly when the gatekeepers of your private information cannot be trusted to safeguard it as securely as I do on my own network.