back to article Tosh admits customer accounts pillaged

Toshiba says that unidentified hackers have stolen customer records belonging to 7,500 of its customers. Credit cards details were not compromised, but emails, addresses, passwords and phone numbers all went missing. The company said the hackers gained access to a US server. The hack came to light on 11 July and customers …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    WTF?

    all went missing.

    Someone deleted them? surely they have a backup?

    (copied data is not missing!)

  2. Shane8
    Big Brother

    Passwords...

    Passwords hashed i hope?

    1. Paul Crawford Silver badge
      Unhappy

      @Passwords

      I don't hold out a lot of hope, but that is a general observation and not Toshiba-specific.

      How many sites send you a password reminder of your *real* password by email?

      This shows that (a) they store it is un-hashed form somehow, and (b) they don't care that email is unencrypted and your email account may well be hacked.

      Folks, think about all of the times you have received such a reminder!

      Assuming like me you occasionally forget and use such a service, if not, why not give it a try with some companies they have important stuff...

      1. Pascal Monett Silver badge

        Re:How many sites send you a password reminder of your *real* password by email?

        Not many, not any more. Most of the sites I have a login on send you a link that allows you to reset your password within a certain time limit. You click the link and must set a new password.

        As long as the miscreants don't change your email address, that seems fine to me.

  3. Anonymous Coward
    Coat

    Toshiba division...

    wonder what division, laptop, pc or server customers considering there's a nice round number?

  4. [Yamthief]

    @Passwords

    Probably very old news to you lot, but even hashed passwords are pointless if you know the hash!

    http://www.md5rainbow.com/

    eg:

    md5("Password1") = 2ac9cb7dc02b3c0083eb70898e549b63

    http://www.md5rainbow.com/2ac9cb7dc02b3c0083eb70898e549b63 shows the password decrypted.

    1. Anonymous Coward
      Happy

      Yes but

      Would you mind passing the salt?

    2. Anonymous Coward
      Anonymous Coward

      @ Yamthief

      My initial response won't actually make sense if you don't know what salting/seeding a password is so in summary:

      salt = "f32ad35aef";

      password = "secret";

      md5(salt + password);

      where salt is a random number (or any other random string) stored in the database with the password hash. The salt value should be different for each password you store.

      This way even if a user uses a commonly used password it'll have a different hash.

  5. TheRead
    Angel

    Thought for a moment

    that you meant that horrible comedian who thinks he's funny by making "edgy" racist jokes and then exclaiming "It's okay because I'm *ONLY KIDDING*."

    I'm not one to wish pain on others, but I wouldn't be upset in the slightest if his fans all had to go about resetting their passwords.

  6. pompurin

    SHA256

    Use an 8 character salt with upper and lowercase letters with digits and special characters.

    Use obvious password restrictions, I would suggest a minimum of 12 characters these days but most still seem happy with 8.

    SHA256 (Password + Salt)

    Then SHA256 hash the result 1,000 times just to increase the computational complexity, and you have yourself a reasonably secure hash.

    1. Anonymous Coward
      Anonymous Coward

      re: SHA256

      How does the 1000 iterations impact login time/password verification?

      Or just tell me to Google it.

      1. George Marian

        Password hashing speed

        A password hashing algorithm has to be just fast enough not to negatively impact the login time. A fast hashing algorithm is actually a vulnerability. That's where something like bcrypt comes into play.

        Here's a good article on the topic:

        http://codahale.com/how-to-safely-store-a-password/

This topic is closed for new posts.

Other stories you might like