While Disney probably thinks that their 350,000 or so users who got hacked is a big thing, in the grand scheme of things, it is not so big.
The Playdom site is the official forum for Starwars, Marvel and other Disney games. It is kind of surprising that there were only 350,000 names hacked.
First, what did they get? Well they got email addresses. That’s not terribly exciting. Usernames. Well, maybe a little bit more concerning, but not very concerning. Passwords. Well, that is a bit concerning. IP addresses. Well first, they said they got IP addresses but then they said they don’t store IP addresses, so I am not clear on that one.
All in all, the only one that is a big concern is the passwords.
But first, at least one source is reporting that Disney was running this forum on vBulletin, version 4 – an old version which is considered not to be secure.
You would think a company as big as Disney would know how to update the software that their users depend on, but as we see again and again, size does NOT matter. Big companies do NOT do it better. In part this is because they have, likely, thousands of web sites.
Of course, for a hacker, this is a dream. You just troll around big companies web sites and look for ones running an old version of the web software. Then you look at the bugs that were fixed in the new version and you know have an attack road map.
So this is first a message to businesses to keep your server software up to date.
Why are the hacked passwords a concern? It is a concern because people reuse passwords. Hopefully, those 350,000 people are not using the same password for Disney as they do for online banking, but …..
So this is really an article to discuss password reuse.
The hacker now has 350,000 email addresses plus the passwords associated with them. If you assume most people reuse passwords, then you can try these email/userid/password combinations on other sites to see what works.
They have not said how or if the passwords were encrypted. The strength of the encryption will determine how hard it will hack the passwords. If it is encrypted with unsalted MD5, they have the passwords already. You get the idea.
From a user standpoint, password reuse means that when Disney’s site gets hacked, the hacker can empty your bank account. THAT is likely a problem, at least for most people.
So please, do not reuse passwords. At least not between what I call junk sites, like Disney, and important sites. Important sites include any site that stores credit cards (like Amazon), financial information (like your bank) or health care information (like your insurance company or doctor). These are only examples. You need to decide what a junk site is and what an important site is.
If people would not reuse passwords, it would make hacking sites like Disney pretty useless. If all you got was the password to Disney and nothing else, well, maybe you will find out who my favorite Star Wars character is. Just. Not. Worth. The. Effort.
But, people don’t do that, so hacking Disney is still pretty valuable.
By the way, Disney shut down the site after the breach. Maybe – just maybe – that is a bit too late.
Information for this post came from Softpedia.