The Tech Herald

DSLReports.com breach exposed more than 100,000 accounts

by Steve Ragan - Apr 29 2011, 12:15

DSLReports.com breach exposed more than 100,000 accounts.(IMG:J.Anerson)

Over a period of four hours on Wednesday, an automated SQL Injection attack leeched plain text passwords and email addresses from DSLReports.com. The attack created a good deal of noise, causing connection issues and brief outages, but by the time it was discovered, nearly 8-percent of the database had been ransacked.

According to the disclosure by DSLReports.com, the attack was similar to the one experienced recently by MySQL.com. Specifically they were hit by a bot-driven Blind SQL Injection attack. While DSLReports.com has measures in place to enforce limits for a single IP address, these limits were circumvented by the attacking botnet.

In a message to users, Justin Beech, the site’s founder, said that the email and plain text password pairs harvested during the attack “…cover the entire 10 year history of the membership but sprinkled randomly. Some are very old accounts, some are new accounts, some inactive or deleted.”

“I identified the newest accounts, those that were obtained and have logged in over the last 12 months, and have alerted those by email. This amounts to some 9000 accounts… Older inactive accounts involved are also being notified by email now, although the older the account, the less likely the email is still current, or the password they used is still useful,” Beech added.

Over the last ten years, there have been more than 1.6 million accounts registered on DSLReports.com. Using the 8-percent listed by Beech as a base, this equals more than 135,000 accounts compromised. If you go by the listed “current login count” (~1.2 million), then the exposure is slightly less, at more than 101,000.

“If you are in the habit of sharing the same password among many sites…you should secure your access to those sites by changing your password immediately. Your first priority would be your email account if the password was shared with it,” Beech warned.

“Obviously having both an [SQL] attack hole (now closed) and plain text passwords is a big black eye, and I'll be addressing these problems as fast, but as carefully, as I can. My apology for any stress this causes.”

As mentioned, password sharing is a risky proposition. It happens all the time, and incidents like this are why the practice should be avoided. If you are looking for a list of passwords that are known to be easily cracked by criminals, look here.

There has been some flack given to Beech over his method of storing passwords. Given the age of the site, it is likely that the password system is a legacy system. Updates to it would have required large investments in hardware and development. These investments are costly, and it is possible DSLReports.com simply did not have the funds or development team in place to take on the project. They have little choice in the matter now.

To play things safe, if you have a DSLReports.com account, even if you did not get a warning letter, change your password. While you’re at it, today is a great day to select new passwords for other important accounts, such as email, social, and financial.

Around the Web

Comment on this Story

comments powered by Disqus

From Autosaur.com

Ferrari California T voted Most Beautiful Sports Car in China

  Ferrari’s California T has picked up the Sports Car of year award in the Most Beautif...

‘Self-cleaning’ Car from Nissan

Say goodbye to washing the car on a Sunday afternoon? Well maybe not quite and not quite sel...

Michelle Rodriguez Pulls Cool Bikini Headstand with Bugatti

Actress Michelle Rodriguez has posted a photo on her Instagram page of herself performing a ...

Student wins $5000 for Corvette Snap

Dan Wang, a student at Rochester Institue of Technology, has picked up a $5000 cheque for hi...

2015 Mini Paceman Pictures

Mini have released pictures of their 2015 Mini Paceman after it was unveiled at the Beijing Motor ...