Web Sites Store Passwords Unencrypted

ClixSense, a company that pays users to look at ads and fill in surveys was hacked last week.  The hackers dumped 2 million “samples” on Pastebin to advertise the sale and security researchers say that the data appears to be real.

In total, there are over 6 million records “available”.  Information that is in the dump that is available for sale includes usernames and email addresses and UNENCRYPTED passwords.  Also in the dump is your address, date of birth, social security number, security questions and answers, tens of thousands of emails that had been sent back and forth to the site and all of the source code for the site.

To say that they had been totally hacked seems like an understatement.

And, unlike some of the other data that recently has come up for sale (like the LinkedIn breach from 2012 that just appeared), this data was current as of last month.  Although, most people’s date of birth and social don’t change that often, so even old data is valuable.

A couple of things here.

Apparently, the hacker was not trying to keep the fact that he had hacker ClilxSense a secret after he stole all that information because he redirected their Web Site to a gay porn site.  That probably wasn’t Jim Grago’s (the owner) best day when he received a phone call at 5 AM to let him know that clients going to his web site were being redirected to a gay porn site.

So why is this breach important?

  • Well first, do you have a written and tested plan to deal with the scenario where a hacker breaks into your DNS server and repoints your web site to a porn site after locking you out, effectively stopping you from undoing it and even stopping you from taking the site down?  It took ClixSense all day to do shut it down and more days to recover from the event.
  • Second, do you have a crisis communications plan to tell your customers what is happening – understanding that you no longer have access to your web site or your email server?

My guess is for most companies, the answer to both of these questions is no.

My next question goes out to their customers.  Why would you share your Social with a site that will pay you a few bucks a year to watch ads?  JUST. DON’T. DO. IT!  If they don’t have it, they can’t leak it.

Finally, my last question goes to the [expletive] who decided that storing millions of passwords unencrypted was a good idea.  HE should be fired and that seems like just cause for a lawsuit.

The problem that you and I have as consumers is that we don’t know which sites that we share information with have good cyber security practices.  We think that Google or Facebook probably have good practices (at least I think they probably do), but how do we know.  We think the data that we share is safe, but again, we don’t really know.  The best answer is to not share sensitive data unless we have a good reason to and we also have a good reason to believe they are storing that information securely.

But just so that Jim Grago can cry in his beer with some company, his is not the company to fail the safe password storage test.

After spending less than 5 minutes on Google, I found:

In October 2015, a researcher found 13 million unencrypted passwords from free hosting provider 000Webhost on the dark web.  The hosting service confirmed they were breached.

ISP Frontier Communications uses a system called Shawn to secure your passwords.  If you forget your password, you call them and Shawn will look it up and tell you what it is. Obviously, it is stored in a manner where Shawn (and probably a bunch of other employees and, of course, a hacker) can see it unencrypted.

In November 2013, the dating site Cupid Media admitted that 42 million unencrypted passwords were real, theirs and likely stolen almost a year earlier.

One more thing, I keep harping on using different passwords for different sites.  In the case of ClixSense, we do not know how long the hacker had access to those passwords before he got that evil grin on his face and pointed their web site to a gay porn site.  Maybe it was a day.  Maybe a year.  If you assume that the hacker had access to your name, email and unencrypted password for even a month and you reused that password on other important sites, how much damage could that hacker do to you.  The problem is that no site is really safe from a hack, so don’t reuse passwords if you can avoid it.  At least that way, you can contain the damage somewhat.

For web site owners, first salt and then encrypt your passwords.  P-L-E-A-S-E!!!


For information on the ClixSense hack see the article on Ars Technica, here.

For information on the 000WebHost hack, see this article on Ars Technica, here.

For information on the Frontier Communications password reset fiasco, see this Ars Technica article, here.

Leave a Reply

Your email address will not be published. Required fields are marked *