back to article PayAsUGym breach exposes passwords

Fitness website PayAsUGym has been breached in a hack that may have exposed up to 400K emails and passwords. In a breach notice to users, the firm admitted one of its servers was hacked after “underground researchers” posted screenshots purporting to show PayAsUGym’s hacked database via Twitter. The 1x0123 hacker crew later …

  1. Anonymous Coward
    Anonymous Coward

    Name Change?

    Perhaps a name change is in order. How about;

    PwndAsUGym :))

  2. Anonymous Coward
    Happy

    Phew, dodged a bullet then

    thank the lord for my gloriously untoned, "never been to a gym" body then.

    1. Anonymous C0ward
      Pint

      Re: Phew, dodged a bullet then

      Yeah, I lift. Pint glasses are heavy.

  3. ovation1357
    WTF?

    Seriously?

    Unsalted MD5 hashes - You're joking, right?

    I never cease to be stunned by the fact any business is using the password storage practices, which have been condemned for close to two decades!

    Mind you, I recently inherited a home-grown application for a charity where all the passwords are stored using the first 8 characters of an unsalted MD5 hash. Which is bad enough but then someone decided to add a column in the same table which stores the whole password in clear text (apparently so that it could be included in an 'I forgot my password' email). Doh!

    Thankfully it looks like it's soon to be retired as it's a liability and needs a complete rewrite to remove all the horrors of old-skool PHP (Yes: we're really talking Globals galore, unchecked user input going straight into SQL queries, badly formed html, massive (and deeply nested) flow control, etc ).

    1. John Brown (no body) Silver badge

      Re: Seriously?

      "I never cease to be stunned by the fact any business is using the password storage practices, which have been condemned for close to two decades!"

      It's worse than that. These are websites/companies which didn't even *exist* when MD5 went obsolete for this use. I wonder if they give their senior management/directors a company horse and carriage instead of one of those newfangled complicated cars?

  4. cdegroot
    WTF?

    Seriously, MD5?

    If that's true, here's to hoping that someone gets slapped on the wrist, really hard, with criminal negligence charges.

  5. David Lewis 2
    Facepalm

    Err ... What?

    “This highlights why it’s so important for businesses to make sure that employees can’t use the same password for their personal and professional accounts."

    And just how is a Business to do that?

    Do I have to tell them the password for my personal e-mail account so they can check?

    1. Flocke Kroes Silver badge

      Re: Err ... What?

      Easy. Businesses just install a certificate for their own fake signing authority on all their PCs. They can then man-in-the-middle all https communication without causing the browser to show warning messages.

  6. EnviableOne Bronze badge
    Coat

    Cooking advice

    MD5 Fail, when will people learn, a little salt is all you need, and ofc not to use a hash algorithm that was broken ten years ago ....

  7. Anonymous Coward
    Anonymous Coward

    This has been coming a while

    Saw a twitter feed with a lot of information already taken and whoever had done it to contact them and ignoring them wouldn't help. Don't know much about this sort of thing but that had a long time to sort over over a couple of months. Sad.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019