Industry News

CNET hacked! Registered users details stolen by gang demanding 1 Bitcoin

Coincidence or Not, Sony PlayStation Hit by DDoS and CEO’s Plane under Bomb Threat

If you are a registered user of the CNET technology news website, it might be a good idea to put your emergency password plans into action right now.

That means changing your CNET password, and ensuring that you are not using the same password anywhere else on the net.

Although there is no indication that your password is in imminent danger, it seems a sensible precautionary measure after CNET admitted that hackers broke into some of its web servers a few days ago, and accessed a database of the site’s users.

A Russian hacking group called W0rm claims to have stolen the database of more than one million CNET’s registered users – including usernames, emails and encrypted passwords – having exploited a security hole in CNET’s installation of the Symfony framework, the behind-the-scenes software that ties all the pieces of its website together.

At the time of writing, CNET does not appear to have reached out to affected users to inform them of the security breach – but it has posted a news story about the hack, where CNET spokeswoman Jen Boscacci is quoted as acknowledging that “a few servers were accessed” and that the company “identified the issue and resolved it a few days ago.”

No details have been shared of how the CNET passwords might have been secured – in other words, what algorithm was used, and whether the passwords were salted and hashed, which would make them much more difficult for malicious hackers to extract and exploit.

Yesterday, the database was offered for sale via Twitter for the somewhat small price of 1 bitcoin (approximately $622), but the hacking gang’s spokesperson confirmed that this was being done primary to gain attention.

According to the report, a spokesman for the W0rm hacking gang told CNET that they hacked the site’s servers in order to raise awareness of security flaws, rather than for financial benefit.

The same gang has claimed responsibility for hacking the BBC, Adobe, and Bank of America websites in the past.

Looking at the screenshot displayed by the hackers of the compromised CNET web server does tell us something interesting. Clearly the hackers have carefully redacted sections of the URL they accessed, possibly in an attempt to prevent other copycat hackers from trying to break into the site.

If that’s right, then it does suggest that the hackers are more interested in shaming CNET into improving their web security than putting innocent users at risk.

Let’s hope that the hackers are true to their word about exposing weak security, and were joking about selling the CNET database for 1 Bitcoin. Even if the passwords aren’t cracked, it’s easy to imagine how the email addresses and other stolen information could be exploited by cybercriminals in phishing campaigns and targeted attacks.

And that, by the way, is why CNET should do the decent thing and reach out to affected users – warning them of the possibility of malicious emails and communications using some of the information that has been exposed.

It seems to me that that would be the responsible thing to do, and I hope that we see CNET confirm that they will inform their community of registered users in an appropriate fashion.

About the author

Graham CLULEY

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.

1 Comment

Click here to post a comment

  • A part of me, which is part of my past but still exists in many ways, hopes that they are indeed only shaming CNET and not out to harm. I think that that can speak for itself in many ways and so indeed I’m not going to elaborate (other than indicate I am not at all OK with malicious activity). Any one curious can use their imagination.. or alternatively, you can prefer fantasy (either way it won’t be known), like they do, where they have a window open referring to Final Fantasy…. another nice thing to see (in addition to them redacting critical information).