Trendy UK estate agency Foxtons pushed the big red password reset button, as a precaution, after it appeared hackers lifted thousands of clients' usernames and passwords from its systems. Miscreants claimed to have leaked online user names, email addresses and passwords of nearly 10,000 Foxtons’ customers, Estate Agent Today …
Just logged in...
emailed imediate with a "your password has expired" we sent you a new one...
Looks like they are not announcing anything juse resetting all passwords... I guess its better than nothing.
Linux Apache/1.3.34 (Debian) mod_gzip/184.108.40.206a mod_perl/1.29
Linux based - not surprising it was hacked.
"...and have initiated a trigger to reset user passwords upon your next successful login".
Wait, what? So if you log in with your current password, you are then prompted to set a new one? So if you use the password from the hacked list ... etc etc.
Re: "...and have initiated a trigger to reset user passwords upon your next successful login".
it send a password reset link to my registered email address.
Couldn't happen to a nicer firm.
Re: Couldn't happen to a nicer firm.
you accidentally mis-spelt 'pack of raptors'.
We asked a Foxtons representative whether the company hashed or salted stored passwords, a basic security practice. The rep declined to comment on any aspects of the incident beyond saying that it may decide to issue a statement at some point.
So basically they got it wrong to begin with and continue on in the same vein.
Re: Best Practice
Yeah, but "best practice" is to hire the cheapest web dev you can find and work them till they collapse.
Re: Best Practice
In fairness the rep had no idea what the question meant and couldn't have answered it if they wanted to.
"The recent spate of high-profile data breaches, such as this alleged attack on Foxtons, are evidence that organisations are either not taking cyber security seriously or are bewildered by the problem"
Anycompany: "How much will this extra security cost?"
IT Dept: "£xxxx"
Anycompany: "And if the worst happens what can we be sued for?"
Lawyer: "Only £xxx"
Anycompany: "Right. Operation 'Heads in the Sand postion'. All for? All against?"
You shouldn't be allowed to collect PII
Unless you can prove you can manage it properly. Including NOT STORING PASSWORDS AS CLEARTEXT!
This isn't postgrad-level stuff, this is basic 101 stuff.
This is what you get when the 'business' doesn't want to pay for paranoid, in-house corporate IT to secure their assets but goes to some Shoreditch outsourcing agency. There's a reason why IT departments are not popular, it's because they don't let you get away with spewing 10000 punters (multi-use I'm sure) passwords all over t'web.
Re: You shouldn't be allowed to collect PII
Even having a paranoid, in-house corporate IT department is no guarantee that your systems will not be hacked.
Re: You shouldn't be allowed to collect PII
But it is a guarantee that user's passwords on exposed machines would have been hashed and salted, so the "hack" means next to nothing after exposure and cleanup, as opposed to plain-text which means that people run the risk of having their email and anything else with the same password also attacked. It's also a pretty good indication that a hack is less likely, will have less impact, will be spotted quicker, and be fixed better.
No, I don't use the same password for everything. But equally I don't use a different password for everything either. I have tiers of information that are protected by different passwords - ultra-secure "you can get my money" down to "spam-prone forum" all have different passwords. But I might use the same password on two spam-prone forums. And this is far above and beyond what the average person does with their passwords online, and still I'd be affected (I'm not, because I have no idea who Foxton's are).
If you aren't STORING THE PASSWORD then people can't STEAL THE PASSWORD. A simple rule. And with hashing there is no need to ever store the password at all, whatsoever, in any way. With properly salted hashes, you don't even need to worry about someone brute-forcing simple passwords with well-known hashes. Joe Bloggs doesn't understand this, an IT team will.
Which is why, when people ask me, they are astounded that I have no idea what their passwords are and no way to find them out. Of course, I can reset them to any given value but just from the way that works, they will know I've done that the second they next log in (because their password won't work any more!). I honestly have no idea about the passwords of my users. I get THEM to provide them when necessary (which is rare).
No sympathy at all. Horrible, sniffy, expensive little estate agency that they are.
Trouble is that they have at least the London market pretty much sewn up. If you want to rent in London, then you have to be prepared to pretty much accept that you'll be paying Foxton's gouging fees (both as tenant or landlord). They also do nasty tricks like inserting clauses in contracts about changing utility supplies to some expensive outfit they have a deal with. They don't tell the landlord about this, and try to stop you having the clause removed. Advice to anyone using Foxtons, either tenant or landlord - get the contract checked over by a competent solicitor.
Make it a prosecutable offence to develop/maintain/own a website that doesn't perform basic secure password storage techniques. Salt, hash with SHA256+ and add a bit of pepper stored in the file system. Or ideally just use Bcrypt.
Having some sort of legislation to punish those who store the personal data of others insecurely would have been a better use of time and money than that bonkers cookie law which requires people to botch on nasty cookie consent bars onto sites. Just wait until people start getting nasty with the HTML5 browser storage APIs, cookies will seem like a walk in the park.
If you don't know how to store this stuff securely then you're in the wrong industry. The problem is website designers who have zero knowledge of software engineering principles thinking that reading a few PHP tutorials will allow themselves to unlock job title "website developers" and a higher salary. And companies who don't do security audits of code/databases.
I vaguely recall the backend might have been
To be honest, if you are targeting a market sector for hacking, Estate Agents would be the one to go for. I have worked in many industry sectors over the years, and can confidently say that *no-one* is tighter than an estate agent.
Their favourite trick was to put a new starter (for some reason they always had a high staff turnover) on a desk with our software and helpesk number, and then let them try and use the helpdesk for free training, having refused to pay for training in the first place.