If you are a registered user of the CNET technology news website, it might be a good idea to put your emergency password plans into action right now.
That means changing your CNET password, and ensuring that you are not using the same password anywhere else on the net.
Although there is no indication that your password is in imminent danger, it seems a sensible precautionary measure after CNET admitted that hackers broke into some of its web servers a few days ago, and accessed a database of the site’s users.
A Russian hacking group called W0rm claims to have stolen the database of more than one million CNET’s registered users – including usernames, emails and encrypted passwords – having exploited a security hole in CNET’s installation of the Symfony framework, the behind-the-scenes software that ties all the pieces of its website together.
At the time of writing, CNET does not appear to have reached out to affected users to inform them of the security breach – but it has posted a news story about the hack, where CNET spokeswoman Jen Boscacci is quoted as acknowledging that “a few servers were accessed” and that the company “identified the issue and resolved it a few days ago.”
No details have been shared of how the CNET passwords might have been secured – in other words, what algorithm was used, and whether the passwords were salted and hashed, which would make them much more difficult for malicious hackers to extract and exploit.
Yesterday, the database was offered for sale via Twitter for the somewhat small price of 1 bitcoin (approximately $622), but the hacking gang’s spokesperson confirmed that this was being done primary to gain attention.
According to the report, a spokesman for the W0rm hacking gang told CNET that they hacked the site’s servers in order to raise awareness of security flaws, rather than for financial benefit.
The same gang has claimed responsibility for hacking the BBC, Adobe, and Bank of America websites in the past.
Looking at the screenshot displayed by the hackers of the compromised CNET web server does tell us something interesting. Clearly the hackers have carefully redacted sections of the URL they accessed, possibly in an attempt to prevent other copycat hackers from trying to break into the site.
If that’s right, then it does suggest that the hackers are more interested in shaming CNET into improving their web security than putting innocent users at risk.
Let’s hope that the hackers are true to their word about exposing weak security, and were joking about selling the CNET database for 1 Bitcoin. Even if the passwords aren’t cracked, it’s easy to imagine how the email addresses and other stolen information could be exploited by cybercriminals in phishing campaigns and targeted attacks.
And that, by the way, is why CNET should do the decent thing and reach out to affected users – warning them of the possibility of malicious emails and communications using some of the information that has been exposed.
It seems to me that that would be the responsible thing to do, and I hope that we see CNET confirm that they will inform their community of registered users in an appropriate fashion.