Another day, another report of millions of user credentials leaked online.
This time it seems the victim is a company called VerticalScope, a Canadian media company that runs a large number of websites and forums, including those on tech and sports such as Motorcycle.com, autoguide.com and techsupportforum.com.
According to LeakedSource, VerticalScope’s database was hacked in February this year, exposing the details of 45 million users across 1100 sites.
Details leaked include email addresses, usernames, IP addresses and passwords. According to LeakedSource, many of the passwords were salted and hashed with the MD5 algorithm, which is now widely regarded as insufficient. Just a handful used encryption that can be considered difficult to crack.
"Given the massive scale of this breach, it is also likely that VerticalScope stored all of their data on interconnected or even the same servers as there is no other way to explain a theft on such a large scale,” LeakedSource added.
Many of the affected websites were running vBulletin forum software that dated back to 2007 and contained known vulnerabilities that were easy to exploit, ZDNet reported.
In an email sent to ZDNet, VerticalScope said it was investigating the reports, without directly confirming that a breach had taken place. “We are aware of the possible issue and our internal security team has been investigating and will be collecting information to provide to the appropriate law enforcement agencies," said Jerry Orban, vice-president of corporate development.
He added that the company is reviewing its security policies.
Farshad Ghazi, global product manager at HPE Security - Data Security, suggested that basic security measures would help companies keep their customer data secure.
“End-to-end encryption, a key data-centric security technology, protects data at rest, in use and in motion – thereby minimizing any clear data exposure and ensuring attackers get nothing of value when they do penetrate systems,” he said. “The ability to render data useless if lost or stolen, through data-centric encryption, is an essential benefit to ensure data remains secure,” he added.
“As this attack points out, there is a clear need to protect personal information like name, full address, phone number and email address so that criminals can’t use the information to open bogus accounts, sell it for use in more targeted larger-scale spear-phishing, or even to steal identities,” Ghazi added.