It has been relatively quiet on the IT hacking front for the past month since LinkedIn and eHarmony were hacked and some 8 million user passwords taken. But things hotted up this past week, with several major hacks targeted at the social media site Formspring, search company Yahoo, and just announced today, hardware maker Nvidia.
On Monday, hackers posted password information on 420,000 Formspring accounts online, which caused it to reset the passwords for all 28 million users on Wednesday as a precaution. A story at the San Francisco Chronicle quotes the following from Formspring founder Ade Olonoh’s blog that, ”We found that someone had broken into one of our development servers and was able to use that access to extract account information from a production database."
The Formspring passwords taken were encrypted, and the company “salts” its password files, making it more difficult for them to be decrypted than in the LinkedIn and eHarmony cases. A story in Secure Computing magazine says that Formspring has taken additional steps to increase the strength of the password encryption technique it uses.
Then yesterday came word that Yahoo had been hacked and that password information on some 453,000 accounts had been posted online. The information was taken from the Yahoo Contributor Network, an Internet publishing company Yahoo had acquired in 2010, says a story at the Chicago Tribune.
This time, the password information stolen was unencrypted, which is surprising for a company that really should know better. Yahoo tried to play down the breach by saying the file stolen was old and that less than 5% of the Yahoo accounts taken were still active. However, the password information taken also included “106,000 Gmail e-mail addresses, 55,000 Hotmail e-mail addresses and 25,000 AOL e-mail addresses,” according to the New York Times. The Tribune story also notes that accounts from Comcast Corp, Verizon Communications, and AT&T were exposed as well. It is unclear how many of those accounts are still active, but most of the companies have already stated that they have reset the passwords of the affected accounts.
The hackers who broke into Yahoo stated they did it as a “wake-up call” to show how poor Yahoo’s security was. As numerous stories have also pointed out, the hack illustrated (again) how account holders too often use lame passwords.
Finally, there is word filtering out this morning that Nvidia’s developer forums were also hacked last week and the password information for an unknown number of accounts was taken. Nvidia has closed down the forums while an investigation is taking place. While the password information was encrypted and salted, Nvidia is telling users, “As a precautionary measure, we strongly recommend that you change any identical passwords that you may be using elsewhere.”
They should probably have added, “And while you’re at it, ensure that none of your passwords for any of the sites you are registered for are identical.” That is your biggest risk.
Robert N. Charette is a Contributing Editor to IEEE Spectrum and an acknowledged international authority on information technology and systems risk management. A self-described “risk ecologist,” he is interested in the intersections of business, political, technological, and societal risks. Charette is an award-winning author of multiple books and numerous articles on the subjects of risk management, project and program management, innovation, and entrepreneurship. A Life Senior Member of the IEEE, Charette was a recipient of the IEEE Computer Society’s Golden Core Award in 2008.