National Theatre hack forces password reset
Some 17,000 culture vultures registered to the UK's National Theatre website need to reset their passwords after the site was hacked. The 20 February attack hit systems storing the logins of 17,000 (or around three per cent) of the 500,000 plus registered with the site. Only email, password, name and contact information was …
Don't tell me they were storing people's passwords in plain text!? I seriously don't understand how such large companies can go on doing that.
It also illustrates the folly of not salting and hashing passwords (with something slower than MD5, preferably): the implication of both the registration page here - https://www.nationaltheatre.org.uk/register - and their announcement is that they store passwords as plain text. Of course an IT-literate site like El Reg wouldn't be so fuckwitted as to do this, would it?
Oh, it does.
If my password was set to "carnegie" then that's one of the first things they'll try. Along with "national theatre" and "nt". Maybe dictionary attack was how it was done, and using the names of anyone who mentioned the National Theatre online.
How many times do hacks have to reveal passwords before people will start HASHING passwords? (let alone salting)
It's not new tech - the concept has been around for decades. It's just laziness or incompetence.
Personally, I think you let them off pretty lightly.
I was a member of the public that received the email saying my personal 'contact details' may have been access by a hacker. The head of IT at the NT could not even tell me what 'contact details' included until I sent him an email to enquire. Instead of coming clean and telling us our HOME ADDRESS AND POST CODE was at risk he decided to come out with an idiot ambiguous statement. Many people fall victim to identify theft from situations like this and the head of IT at the NT doesn't seem to think we should know the severity of the issue.
Sign up, sign up for The Register's weekly IT security newsletter - click here
