The Tech Herald breach exposed more than 100,000 accounts

by Steve Ragan - Apr 29 2011, 12:15 breach exposed more than 100,000 accounts.(IMG:J.Anerson)

Over a period of four hours on Wednesday, an automated SQL Injection attack leeched plain text passwords and email addresses from The attack created a good deal of noise, causing connection issues and brief outages, but by the time it was discovered, nearly 8-percent of the database had been ransacked.

According to the disclosure by, the attack was similar to the one experienced recently by Specifically they were hit by a bot-driven Blind SQL Injection attack. While has measures in place to enforce limits for a single IP address, these limits were circumvented by the attacking botnet.

In a message to users, Justin Beech, the site’s founder, said that the email and plain text password pairs harvested during the attack “…cover the entire 10 year history of the membership but sprinkled randomly. Some are very old accounts, some are new accounts, some inactive or deleted.”

“I identified the newest accounts, those that were obtained and have logged in over the last 12 months, and have alerted those by email. This amounts to some 9000 accounts… Older inactive accounts involved are also being notified by email now, although the older the account, the less likely the email is still current, or the password they used is still useful,” Beech added.

Over the last ten years, there have been more than 1.6 million accounts registered on Using the 8-percent listed by Beech as a base, this equals more than 135,000 accounts compromised. If you go by the listed “current login count” (~1.2 million), then the exposure is slightly less, at more than 101,000.

“If you are in the habit of sharing the same password among many sites…you should secure your access to those sites by changing your password immediately. Your first priority would be your email account if the password was shared with it,” Beech warned.

“Obviously having both an [SQL] attack hole (now closed) and plain text passwords is a big black eye, and I'll be addressing these problems as fast, but as carefully, as I can. My apology for any stress this causes.”

As mentioned, password sharing is a risky proposition. It happens all the time, and incidents like this are why the practice should be avoided. If you are looking for a list of passwords that are known to be easily cracked by criminals, look here.

There has been some flack given to Beech over his method of storing passwords. Given the age of the site, it is likely that the password system is a legacy system. Updates to it would have required large investments in hardware and development. These investments are costly, and it is possible simply did not have the funds or development team in place to take on the project. They have little choice in the matter now.

To play things safe, if you have a account, even if you did not get a warning letter, change your password. While you’re at it, today is a great day to select new passwords for other important accounts, such as email, social, and financial.

Around the Web

Comment on this Story

comments powered by Disqus


Miami Formula E Tickets On Sale Now

Tickets for the first US race in the Formula E calendar — Miami — are on sale now.The ePrix&...

Our Most Popular Car Games Of 2014

It’s that time of year when we take stock of where we’re at and button down the hatches over...

Monster Truck World Speed Record Broken By The Raminator

The monster truck speed record has been broken by road-going goliath The Raminator.The truck...

Car Games Update – December 2014

Our car games section is constantly growing and becoming more popular by the day. Over the p...

The Mind-blowing 2015 BMW 6 Series (PICTURES)

Here’s a great selection of pictures of the new 2015 BMW 6 Series to salivate over. The new ...