back to article Mag publisher Future stored your FileSilo passwords in plaintext. Then hackers hit

UK magazine publisher Future's FileSilo website has been raided by hackers, who have made off with, among other information, unencrypted user account passwords. FileSilo.co.uk is a website Future's mag subscribers can log into to download materials, such as Photoshop templates and graphics, for tutorials published in its print …

  1. Adam 1 Silver badge

    > El Reg asked Future for some comment on the breach and the reason why the passwords were stored in plaintext and not encrypted. In accordance with FileSilo's security policy, we sent the request in plaintext.

    >

    > We have not heard back. ®

    Let's not be too cocky. Until rather recently, certain other sites used to force credentials and session cookies to be submitted in clear text. Glad to see they saw the error of their ways though...

    1. diodesign (Written by Reg staff) Silver badge

      IGNORE ADAM. HTTPS HERE :D

      C.

      1. Adam 52 Silver badge

        He did say "Until rather recently". Reg has only been https for what, 30 days? It's 2017 and...

        1. diodesign (Written by Reg staff) Silver badge

          Re: Adam 52

          I hate to literally "actually" into a conversation but...

          Actually, we went HTTPS well before 2017: experimentally, while we worked in things like ads, layout components, the mobile design, and so on, HTTPS was available, we just didn't hype it before it was ready. If you tweaked the URL from HTTP to HTTPS you would have had a nice surprise. We've been working on encrypted Reg reading for months :) Props to Marco, Tony and the tech team for their work. It takes time because there are so many components to a page, and all need to be served securely.

          So in short, if you hit a HTTP link, change it to HTTPS. Gradually, these will all become HTTPS automatically.

          C.

      2. DropBear Silver badge
        Devil

        Just as a token fly in the ointment - it doesn't seem to work on https://theregister.co.uk though ("unable to connect" unless you either add the "www" bit or remove the "s")...!

      3. Oh Homer
        Trollface

        Clarification needed

        I'm still not clear on whether the passwords were stored unencrypted in plaintext.

  2. Red Bren
    FAIL

    Future Publishing

    I remember when they used to publish "Your Sinclair". Perhaps they were using a ZX Spectrum to host their site?

    1. Alister Silver badge

      Re: Future Publishing

      I remember when they used to publish "Your Sinclair".

      I remember when they used to publish "PC Plus" magazine.

    2. joeW Silver badge

      Re: Future Publishing

      I think "Amstrad Action" was one of theirs too.

  3. Anonymous Coward
    Anonymous Coward

    Not again!

    It's time directors / business owners started getting sent to prison for this.There is no excuse for storing passwords in plain text.

    1. Anonymous Coward
      Anonymous Coward

      Re: Not again!

      "It's time directors / business owners started getting sent to prison for this.There is no excuse for storing passwords in plain text."

      A lovely idea, but never going to happen. The poor teaboy will get the sack for it, like a sacrificial lamb to the slaughter. And most of the time the time pressures etc exerted on to the developers and server people are never written down. It'll be a case of their manager coming round saying "Yeah I know the passwords should be encrypted but we simply don't have the hours to do that, so don't do it ok?".

      A/C because I was a mere apprentice when similar shit hit a similar fan.

      1. Anonymous Coward
        Anonymous Coward

        Re: Not again!

        Depends how the legislation is worded. Senior execs are criminally liable for health and safety violations, so the same could be the case here.

      2. Anonymous Coward
        Anonymous Coward

        Re: Not again!

        As long as the scenario you described is accepted nothing will change.

        How many times can the same thing happen ?

        Basic Security is not hard, there are enough warnings appearing in the press every day.

        It is worth paying for someones time if you cannot work it out.

        As it stands there is no comeback when you get caught out, you publish a standard letter with the standard 'You are so important ....' message and continue as before.

        We will get told that the problem has been fixed but how are we to know ?

        I have received similar messages from other companies and there is never any follow up and the problem is just dumped on my lap to deal with.

        There needs to be real consequences that matter to the companies i.e. financial

        Otherwise they will just continue in the usual slapdash manner with it hardly impacting their lives at all, somewhat different to the customers they screw up !!!

    2. Anonymous Coward
      Anonymous Coward

      Re: Not again!

      As part of a recent support session with a decent sized UK cycling retailer (not the orange one) I got sent a screenshot of my account details page on their backend systems. And guess what? - there was my password displayed for all to see.

      So at best reversible encyption, but I very much doubt it.

      Who designs these systems?

      1. Nick Ryan Silver badge

        Re: Not again!

        Who designs these systems?

        Morons. I'd love to come up with a more positive or forgiving description of them however years of jaded experience seem to point more and more towards this term particularly as "narrow minded idiots" just isn't as snappy.

      2. Anonymous Coward
        Facepalm

        Re: Not again!

        I could name a large multinational Telecoms company that started in the City Of London that appears to store their passwords in either plain text or easily reversible format.

        How do I know?

        Click the "I forgot my password" and they will kindly email it to you.

        Yes I emailed them.

        No they didn't understand.

        1. Anonymous Coward
          Anonymous Coward

          Re: Not again!

          Their correct name is "City London Of Telecom"....

  4. Terry 6 Silver badge

    Clarification

    Sorry, it wasn't clear enough in the article. Were you perhaps trying to suggest that they might have possibly stored passwords in unencrypted form as apparently plain text?

    1. Anonymous Coward
      Anonymous Coward

      Re: Clarification

      It's all a big misunderstanding. They were heavily encrypted, not with double-, not with triple-, but with QUADRUPLE-ROT13.

      1. Nick Ryan Silver badge

        Re: Clarification

        I wholeheartedly appreciate how you even encrypted your post using QUADRUPLE-ROT13. To show a similar level of appreciation I have posted this message witth OCTUPLE-ROT13.

        Good luck reading this post suckers!

  5. Anonymous Coward
    Anonymous Coward

    Maybe there's something you can do...

    I remember Amstrad Action. :-)

    I think it would be good to post a link to an article which states how passwords should be dealt with on servers. The main problem could be that the sales and the management team have promised impossible time scales for the website development team. They get most of the money, while all the work is done by those engineers and others.

    1. Nick Ryan Silver badge

      Re: Maybe there's something you can do...

      It takes seconds (literally) to implement an encrypted password store as there are standard toolkits available that perform all the basic processes you need.

      Security conscious developers will also carefully trace the flow of the unencrypted password to ensure that the code route is as short as possible and that any unencrypted copies are overwritten as soon as possible and no copies are made. It's a relatively simple process and can save a lot of potential problems down the line.

  6. lglethal Silver badge
    FAIL

    "We take the security of our registered users extremely seriously..."

    Your Actions leading up to the breach would seem to suggest otherwise, No?

  7. CAPS LOCK Silver badge

    FUTURE publishing?

    PAST publishing more like...

  8. Mark Simon

    It’s about time …

    I know that Britain is leaving the EU fold, but isn’t about time to look at legislating a more responsible approach to storing user data?

    The EU has the Cookie Law, which requires user consent for using cookies or any other form of local storage on a web site. Why can’t governments understand that insecure handling of user data is much more serious than storing cookies, and require organisations to conform to a minimal standard which includes better handling of user data?

  9. Doctor Syntax Silver badge

    "El Reg asked Future for some comment on the breach and the reason why the passwords were stored in plaintext and not encrypted. "

    I'd have been a bit more pointed. I'd have also asked them to explain how this was taking their customers' security seriously. In a case like this they just shouldn't be given a free pass to come up with this junk, not even if it's printed with a pointed comment. They really should be pressed on the point.

  10. caffeine addict Silver badge

    Christ it's not that long ago that if you joined one of their forums, they sent you a welcome email with your chosen password in it.

    When I picked them up on it, their web guy told me it was "industry standard". *sigh*

  11. irksum

    Shocking but not surprising for a magazine publisher.

    Years ago I tried to log on to a well known UK IT magazine publisher's site to manage my subscription and crashed the database web application, dumping the raw text of the SQL statement to the web page that had failed because of the apostrophe in my surname. And this was years after SQL injection attacks (and how to avoid them) had been widely publicised.

    Thank **** I use a password manager that generates gibberish unique passwords for each of my logins.

    1. Anonymous Coward
      Anonymous Coward

      I broke the BCS's (British Computer Society's) systems because my password was too complex. :)

      Go figure.

  12. JimboSmith Silver badge

    A few years ago a magazine site (it's a long time ago but I think it was a consumer one about interior and exterior design) had a page on it for subscribing. No shocks there but what did catch my attention was that the main content on this page appeared to be overlaying something. Underneath visible and copyable was a customers name, (home) address and a few other details (no passwords but might have made phishing a lot easier). At first I thought they might be a dummy set supposed to populate the data fields until you typed your own in and something had gone wrong. You know something like Mr Benn, 52 Festive Road, etc. However I googled the person listed and they existed at that address, they'd filed planning applications etc. perfect person to have subscribed.

    it was 5:30pm so there might not have been anyone in the office but I called the contact number for the editorial team and said you've got a problem with your website. No that'll just be the dummy data it won't be anyone real, is the response from them. So I said why don't you look at the following page and make your own mind up as to whether it's real or not. I'll hang on the phone whilst you check and once you're happy that it is I'll give you 5 minutes to remove it before I contact the ICO and then tell El' Reg. To their credit as soon as they saw the page it was obvious they were going to do something quickly as I was told if you could give us ten minutes we'll have it removed. Sure enough they did in under 8 minutes and I decided to keep it to myself. I can't remember which magazine it was but I was impressed at the speed with which it was removed.

  13. krivine
    Headmaster

    Those pesky lawyers

    I just looked up their privacy and security policy: "7. Security: In accordance with our requirements under the Data Protection Act 1998, we *will* adopt appropriate security procedures to help prevent unauthorised access to your information. Neither Future nor any of its group companies shall be liable for any attempt to hack or crack or otherwise gain access to any part of this website including any of your information. "

    (Emphasis on the future tense is mine.) So I suppose they're acting exactly as they say they will. At some unspecified time in the future, they'll look after your data. Till then, FU! I too am grateful for password managers that allow unique, hard-to-crack passwords - not that I'll be using these particular clowns again.

    1. Doctor Syntax Silver badge

      Re: Those pesky lawyers

      "7. Security: In accordance with our requirements under the Data Protection Act 1998, we *will* adopt appropriate security procedures to help prevent unauthorised access to your information. Neither Future nor any of its group companies shall be liable for any attempt to hack or crack or otherwise gain access to any part of this website including any of your information. "

      The tense actually makes sense. They're initiating an agreement with you. The agreement is about what you and they are going to do in the future; it has not past so the future tense is right.

      However I don't think the ICO will be over-impressed with their disclaimer and come May next year it certainly wouldn't save them from a big fine.

  14. BobDowling

    Kite mark time?

    Perhaps every site that offers accounts should carry a standard marking that would identify how their passwords were stored:

    Big, bright red flashing turd: Passwords stored in plain text.

    Big, red, non-flashing turd: Passwords stored by reversible encryption.

    Amber padlock: Passwords stored hashed, no salting.

    Green padlock: Passwords stored hashed with salting.

    1. Anonymous Coward
      Anonymous Coward

      Re: Kite mark time?

      And the whats the bet of the use of greenpadlock.png will be the most used image on any website.

  15. tiggity Silver badge

    VbV

    One of my pet hates (for oh so many reasons) is Verified by Visa

    I generally avoid sites that use it, but occasionally have to use them for something that cannot easily be purchased otherwise (angry stare at SO and their obscure interests)

    My low opinion of VbV always drops that bit further when it asks me to enter digits 4 7 and 8 (or whatever) of my pass-phrase. No decent system should be able to find ANY of my pass-phrase.

  16. Andy the ex-Brit
    Facepalm

    Password by email

    I recently registered for a special interest jobs site, and minutes later got a Thanks for Registering email with my username and password in plaintext.

    Boggles the mind. I should have guessed when the password entry fields weren't even obfuscated.

    They got a pretty stern response back from me.

  17. EnviableOne Bronze badge

    Time for a Digital Saftey Act?

    Enforce salt and hash encryption for passwords (none of this reversible pick x of n stuff)

    Make CEO criminally liable for breaches (as per HASAWA)

    Make fines extortionate (as per GDPR)

    Make programmers also responsible for their own mistakes (will sort the XSS, CSRF, and SQLi) [like servers are in pubs]

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019