If you have an account on AutoGuide.com, Motorcycle.com, PetGuide.com, Tractor.com, IBSgroup.org or any of VerticalScope’s other community websites and forums, change your password – TODAY!
Hackers have stolen tens of millions of accounts from popular forums belonging to the Toronto-based media company. The forums cover a multitude of diverse verticals from automotive, powersports and technology to pets, health and wellness, home improvements and outdoor.
In a security update on its website, the company rather downplays the situation. It prefers to highlight recently revealed breaches on social media sites before getting around to telling its own users that they need to change their passwords:
Poor password storage
Breach notification site LeakedSource.com analysed a copy of the stolen data and found that records may contain an email address, username, IP address and one – or even two – passwords.
The passwords were not stored in clear text so anyone in possession of the leaked data will need to crack the passwords before they can use them. How difficult they are to crack depends on how strong they are and on how they were stored.
Unfortunately most of the passwords were stored using an old technique that’s easy to crack:
It’s a similar situation to the well-publicised Ashley Madison data leak where some users’ passwords were stored using a modern technique (bcrypt) and others were stored using the same obsolete MD5 hashes used by VerticalScope.
A lot of researchers didn’t even bother trying to crack the bcrypt-ed passwords from Ashley Madison but one that did took a week to crack just 4,000 of the weakest. A different group of researchers took a swing at the MD5 hashes and cracked 11 million in just 10 days.
Companies and users must act responsibly
This latest news comes less than a week after high profile data breaches on three major social networks, MySpace, LinkedIn and Tumblr, were revealed.
Against the background of so much stolen data it’s easy to lose sight of the seriousness of a breach exposing tens of millions of poorly stored passwords. Users who entrust companies with their passwords have every right to expect them to be stored correctly so that they’re well protected even if their data is stolen.
And users? To play their part they need to chose strong, unique passwords.
The weakest passwords are the first to fall – LeakedSource.com has listed the top passwords used by VerticalScope users with ‘123456’ coming top and ‘password’ coming third. ‘111111’ and ‘qwerty’ also make the top twenty.
Users should also expect that the hackers behind this breach will try the stolen passwords on other websites too, or resell the passwords to other criminals who will.
So, if you’re a VerticalScope user, go and change your password and if you used it on any other sites, change those passwords too