3

I am a staff member of a large fanfic site, but not the head administrator with control over the site itself.

Recently, we had a security breach and the databases were copied, which included the users' usernames, emails, and password hashes. We put a notice on the front page telling people that we were hacked and that they should change their passwords anywhere else where they use the same password.

However, during a staff meeting, we had a chance to look at the backend structure. Turns out everything was MD5, with the same salt for every user.

I have been trying to convince the rest of the team that this is a very bad situation. I do not think they understand how easy it is for someone to break most of those passwords in a short amount of time despite everything I have done to explain the basics of salting and why MD5 is too fast to be good password security (I've been recommending bcrypt). If compromised users are using the same passwords on other sites, they are at risk of being compromised there, as well.

But most importantly, I've been imploring them to email the users, because simply posting a quick notice on the front page is not going to reach everyone. Their main counterarguments:

  1. We have limited ability to send out that many emails from our server, so reaching everyone is not feasible. (I then recommended Mailchimp, but this was "too expensive" and that I am asking them to do "more than the big companies would do, who have more resources").

  2. If someone's password is weak enough to be cracked that quickly, there is no point in emailing them because the attacker would have compromised them already by now.

  3. Our main focus is patching up security going forward, not worrying about the past.

I've been trying to counter these arguments because I think they are not responsible or justified excuses, but I appear to be failing. It seems like a huge risk to have an information leak like this when security was this poor, and then not properly inform your users (directly via email) that they need to change their passwords. Putting up a notice on the main page or relying on word of mouth, to me, is not nearly enough and won't necessarily reach inactive users who still have accounts on the site (which are many, if not most).

Am I overreacting? Am I expecting too much from them? Is it unreasonable for me to expect them to email everyone? Am I overestimating the severity of the situation?

What more can I do or say in this situation?

user49749
  • 31
  • 4

2 Answers2

1

You're not overreacting at all. It's COMPLETELY irresponsible to refuse to do anything more. Even if a user is inactive, they need their account to be secure.

Your boss clearly doesn't understand the severity of this situation. With unsalted MD5, most passwords are already stored in a rainbow table along with the matching hashes. You can, right now, Google an MD5 hash and find the matching password.

If you have password reset functionality through email, why not require users to change their password next time they log in? Then, anyone who tries to use a compromised account will need the user's email account to prove they are the ones changing the password. Since you already have hashes of passwords and you may not be able to get the original, requiring users to change their password is probably the best solution as you can just create new bcrypt hashes.

If the majority of your users are inactive, this is a great solution as you will not have to send out hundreds of thousands of emails in one day. You can send them out over time.

If you don't want to have to worry about this holding you back in the future, notify users after a certain amount of inactivity (maybe, 1 year) that they have to change their password or their account will be deleted. You can spread this out over time. And not do it all on the day exactly one year from now. But instead, spread it out over a month or so.

Phoenix Logan
  • 502
  • 2
  • 13
  • To reiterate a quick point, it was the same salt, not unsalted. However all this means is that rainbow tables could be recreated for that salt, which isn't much better. As for login, my concern is users who visit the site very infrequently or not at all anymore. Their information is left wide open. Some of the staff agrees (I think) about making users re-validate themselves, but not about informing the users at large. – user49749 Jun 22 '14 at 16:00
  • What info was leaked? Just usernames and password hashes? I hope so. – Phoenix Logan Jun 22 '14 at 16:03
  • Usernames, emails, and password hashes. – user49749 Jun 22 '14 at 16:03
  • Okay. Well for those users, you should still do the solution I mentioned. If someone tries to access their account, they cant because they have to change their password. One point I may not have made clear is that they need to open a confirmation email and click a link in it to continue with changing their password. These confirmation emails can be spread out over time rather than emailing everyone at once. And, with the compromised password, the account can not be accessed at all. – Phoenix Logan Jun 22 '14 at 16:05
  • Yeah -- I have already recommended to the staff that validating themselves through email and changing their password (and re-storing their credentials with bcrypt) is the way to go. However the users who do not use the site anymore or don't come around enough often enough still have their passwords compromised and are unaware of it. – user49749 Jun 22 '14 at 16:08
  • Also even with a salt that is the same for every user, a custom rainbow table can be created exclusively for your site. Even if it gets only a small amount of user's passwords, it is still a big deal. – Phoenix Logan Jun 22 '14 at 16:08
  • It's fine if they have compromised accounts still, because they are unusable. If you don't want to be held back from implementing a new system in the future, again, you could send an email to users about their account being deleted after maybe 1 year from now, and spread those emails can be sent out over a month or so, because there is no imminent security threat, since the account can still not be used. If they don't change their password, their account is deleted and you don't have to worry about old hashes in your data center 1 year and 3 months from now, just at this time. – Phoenix Logan Jun 22 '14 at 16:11
  • Ah, I need to clarify my ultimate concern here: My worry is for people who use the same password on our site as they do elsewhere. Their password has been exposed and so an attacker could try their password on other sites with their email address and compromise them there, too. A lot of people re-use their passwords in multiple places, and even complex passwords of length 8-10 are at risk here. If such a user is not active, then by not informing them, they have no idea that their password was leaked and could be exploited elsewhere. – user49749 Jun 22 '14 at 16:14
  • @user49749 What does your boss mean by "limited resources", bandwidth? – Phoenix Logan Jun 22 '14 at 16:16
  • I don't know the details 100% since I don't control the site, but they have told me that they can only send out a limited number of emails per hour, so notifying everyone is not feasible. This is why I then recommended something like MailChimp as an alternative, but this was shot down for being too expensive. – user49749 Jun 22 '14 at 16:17
  • I'm not sure what to say about this. But if you need to send out this many emails, you should be hosting your own mail servers. The only reason I bought web & mail hosting from GoDaddy is because my ISP is blocking ports and I don't need to send out that many emails from my business. If you are handling that many people, you need to host your own servers. Your boss better be concerned about this, though, because you could be sued if you don't notify people as soon as possible. In the end, the cost of MailChimp for a month or so will probably be a lot less. – Phoenix Logan Jun 22 '14 at 16:25
1

What to do from an ethic point of view and what to do from a legal point of view is entirely different. First of all you should have performed incident response. One of the most important things which are learned from incidence responce is to know:

  • What happened
  • When did it happen
  • How did it happen
  • How do we prevent this in the feature

Your company obviously stopped at the 3rd point and there is no care for moving forward. Also your staff is not a communications team, it's also negligent towards certain legal requirements. I'm not sure where you live, but within the EU there are already laws and precedents in place which can be used in court if one your users decides to press charges for leaking personal data. If your company did not communicate this to their users nor to the police then there is a chance that your company and also its management can be held accountable:

The Commission has put in place new specific rules to ensure that personal data breaches in the EU telecoms sector are notified in the same way in each Member State. The 2002 ePrivacy Directive requires telecoms operators and Internet service providers to keep personal data confidential and secure. However, sometimes data is stolen or lost or accessed by unauthorised persons. These cases are known as 'personal data breaches'. Under the revised ePrivacy Directive (2009/136/EC), when a personal data breach occurs, the provider has to report this to a specific national authority. Also, the provider has to inform the concerned subscriber directly when the breach is likely to adversely affect personal data or privacy. To ensure consistent implementation of the data breach rules across Member States, the Commission has adopted "technical implementing measures" – practical rules to complement the existing legislation – on the circumstances, formats and procedures for the notification requirements. These rules will help ensure ensure that all customers receive equivalent treatment across the EU in case of a data breach, and that businesses can take a pan-EU approach to these problems if they operate in more than one country.

For the US the laws are also very clear, while it is state dependant, one example for California can be found below:

The first such law, the California data security breach notification law SB 1386, Cal. Civ. Code 1798.82 and 1798.29, was enacted in 2002 and became effective on July 1, 2003.2 As related in the bill statement, law requires "a state agency, or a person or business that conducts business in California, that owns or licenses computerized data that includes personal information, as defined, to disclose in specified ways, any breach of the security of the data, as defined, to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person." In addition the law permits delayed notification "if a law enforcement agency determines that it would impede a criminal investigation." The law also requires any entity that licenses such information to notify the owner or licensee of the information of any breach in the security of the data.

While a notification is technically also "in writing" it will probably come to an argument should this come into a court. The judge will then have to decide if you acted accordingly to comply with the law. If it is deamed you had the email addresses, then most likely it will be decided that you did not comply with the law and both civil and criminal penalties may follow for your company and its management. If your staff is advicing party in this issue they will be considered as management.

Lucas Kauffman
  • 54,169
  • 17
  • 112
  • 196
  • Thanks for the detailed response. What would you recommend I do in this situation, past this? I am feeling a bit powerless despite all my arguments to the staff/admins. – user49749 Jun 22 '14 at 17:04
  • 1
    Keep the emails where you expressed your concerns, you need to cover your ass, but aside from that you can't do much else. – Lucas Kauffman Jun 22 '14 at 17:08
  • Does it matter what kind of site it is? It's a fanfic site where no financial transactions take place. You can sign up, post fanfiction, etc, but the only sensitive pieces of information are passwords and emails and such. – user49749 Jun 22 '14 at 17:11
  • It depends, the law is to be interpreted and I'm not really a lawyer nor a judge. For the EU I know that private data is "that which can identify a single person". So if you have got just emails and passwords, then it must be determined if from the email address you can identify a single person. For instance if their email is first.lastname@company.com then it might be ruled that this is personal data. – Lucas Kauffman Jun 22 '14 at 17:15
  • A similar question was asked yesterday, have a look at it here as well http://security.stackexchange.com/questions/61585/convincing-my-manager-to-use-salts/61589#61589 – Lucas Kauffman Jun 22 '14 at 17:16
  • What might you recommend as a solution to the emailing concern? Do you agree that it is necessary to inform all users in the system? – user49749 Jun 22 '14 at 17:17
  • It is certainly nescessary to notify all users and enforce a password change as well as the recommendation to change passwords for any service they might have used the same password for. – Lucas Kauffman Jun 22 '14 at 17:23