* Posts by LEthaLity

1 post • joined 28 Sep 2011

UKChatterbox urges password change following hack attack


Some clarification on UKChatterbox

Quote: "Although one user accused UKChatterbox of a succession of basic security errors and subsequent cover-ups, we have a lot of sympathy for the site. Running an IRC channel – which often becomes a magnet for flame wars, hack attacks and squabbles"

I, being that "one user" being referenced, used to be staff on the service. Firstly, UKChatterbox is not your average IRC network, so flame wars, net/irc wars aren't an issue. They don't describe themselves as an IRC net, they're a "web-chat service", they are the largest "web-chat" service of it's sort in the UK with over 2 million users, over 2 thousand on-site at any time.

The security errors have been acknowledged, they range from mysql injections which allowed access to the user database (the reason for the password resets), through to other human-errors on their staffs part with regards to the complexity of passwords and password reset procedures.

Until the "password reset announcement" they hadn't once admitted or acknowledged any of the activities to it's users/chatters for two months, but communication in-house did mention them. What the users got was numerous notices about server/hardware failure, maintenance and upgrades.

So whilst I don't wish to inflame the situation (apparently some of the staff have taken this very personally), the reason for the forced password resets and the accompanying recommendations on email security is that multiple tables in the database have been accessed, with plaintext passwords in-use, over 90% of users use the same passwords on multiple sites.



Biting the hand that feeds IT © 1998–2017