Firstly, there is that word 'encrypted'. Passwords should be hashed, not encrypted. By definition, encryption is reversible while hashing is not. Encryption is good for hiding single documents, but not good for hiding millions of passwords. Adobe said its passwords were encrypted, and many people assumed it was just a slip of the tongue for 'hashed'. With Adobe it was not; with Forbes it seems that it was – they were hashed.
This is known courtesy of Paul Ducklin writing for Sophos Naked Security. Ducklin has done some analysis on the dumped data. The passwords were salted and hashed, not encrypted, he says, adding, "It's a pity Forbes didn't say so, and give explicit detail on how the salting-and-hashing had been done. That would have given a useful indication of how likely it is that password crackers will be able to recover individual passwords."
In the event, he tried himself; and doesn't seem to have had much difficulty in cracking some of the weaker passwords. Nevertheless, he feels that Forbes has been reasonably thorough in its attempts to protect its users. It used the MD5 hash with 8193 iterations and added salt; that is, the Portable PHP framework. "That's why [at the time of writing, 2014-02-16T00:20Z]," he added, "you probably haven't yet seen any extensive lists analysing the passwords in this breach, which you almost certainly would have if a simpler hashing system had been used."
That doesn't mean they are secure. In a subsequent post, Ducklin explained further analysis. "Then we cracked each of the sets of 10,000 hashes against our Top Hundred list [of most used passwords], which took only a few minutes with multiple processors on the job, despite the PHPass-based hash-stretching." From this analysis he learned that the most frequently used passwords are still the most frequently used passwords; and that perhaps surprisingly, AOL users tend to choose their passwords more wisely than do Gmail users.
The question then is, who did the hack? Well, it was the Syrian Electronic Army, of course. As usual, they claimed responsibility in a series of tweets. Breaching major media sites for publicity is a common theme in their attacks; but this was a bit different. First they tweeted, "#Forbes users table(1,071,963 user-email-password) was dumped successfully, Anyone want to buy it?" This might have been a joke, because they then tweeted, "No, We are going to publish it for free really."
Either way, it is a deviation from their usual methods; which have hitherto concentrated more on publicity than damage. The group then seemed to revert to its usual approach two days later when a series of tweets announced, "We didn't publish the user table of Forbes to show off, but because they deserved to be embarrassed. We have access to bigger user tables than Forbes one but Forbes has been so unethical that they deserved it. The user tables have been deleted, we are no longer publishing them. Please change your passwords if you have a login on Forbes."
But once published, especially if left for two days, the cat is out of the bag. There is now no way of knowing how many copies have been obtained by more nefarious actors than Paul Ducklin. Since SEA will know this better than most, the change of tactics seems a bit strange – that they should dump the database at all, and then seemingly change their mind.
This will undoubtedly lead to speculation about the group. Does it for example have new members not yet au fait with its own set of 'ethics'; or is it indicative of a change of principles within the group (that is, are we likely to see a more aggressive SEA in the future?). Infosecurity has asked SEA these questions, but not yet received a reply. If one comes, we'll update this story with SEA's response.