Scribd, which claims to be the world's largest online library, has been hacked - exposing the email addresses, usernames and password hashes of 500,000 users. The document-sharing website admitted the database raid may have leaked the details of one per cent of its 50-million-plus users. Potentially affected users have been …
They use more than 100 servers for authentication and only one was hacked?
I am greatly relieved. </sarcasm>
Love the message management..
"1% of our users" looks so much smaller than "FIVE HUNDRED THOUSAND users", doesn't it?
Probably not the skiddies.
"Scribd, which claims to be the world's largest online library....." Also accused of being one of the World's biggest open copyright infringers (http://en.wikipedia.org/wiki/Scribd#Criticism), so I don't think it was the usual freetards skiddies, more likely pro crooks looking for subscription details. Anyone with an account would be wise to change their password regardless, and probably keep an eye on purchases on the card they used to subscribe.
Re: Probably not the skiddies.
A friend of mine is a senior lecturer in archeology, he has published a small amount of books, three or four I can't remember. These books form part of his income, he relies on the royalties - so do many academics. He found all of them on Scribd, accompanied with a comment along the lines of "get them before the bastards take them down."
The Importance of security?
I always love the uncertainty of these articles about security -words like proably ,and should be ok we hope.
Even the security guy at the bottom of the article says at this point it probably doesnt matter and as true as this is its still such a weird choice of words.
If you're upgrading your password encryption (for instance from unsalted to salted) you can only realistically do it when the user logs in, since this is the only time your system has the unencrypted password to work with. It may well be that the 1% haven't logged in recently enough to be upgraded, and hackers have potentially got some nice and easy unsalted md5 hashes to work with.
Re: 1% figure
I'm not 100% sure, but could you, hash the existing hash with added salt, so that way two operations are needed to decrypt the hash, so at least you're not vulnerable to rainbow tables before the next time a password reset/login occurs.