Over a period of four hours on Wednesday, an automated SQL Injection attack leeched plain text passwords and email addresses from DSLReports.com. The attack created a good deal of noise, causing connection issues and brief outages, but by the time it was discovered, nearly 8-percent of the database had been ransacked.
According to the disclosure by DSLReports.com, the attack was similar to the one experienced recently by MySQL.com. Specifically they were hit by a bot-driven Blind SQL Injection attack. While DSLReports.com has measures in place to enforce limits for a single IP address, these limits were circumvented by the attacking botnet.
In a message to users, Justin Beech, the site’s founder, said that the email and plain text password pairs harvested during the attack “…cover the entire 10 year history of the membership but sprinkled randomly. Some are very old accounts, some are new accounts, some inactive or deleted.”
“I identified the newest accounts, those that were obtained and have logged in over the last 12 months, and have alerted those by email. This amounts to some 9000 accounts… Older inactive accounts involved are also being notified by email now, although the older the account, the less likely the email is still current, or the password they used is still useful,” Beech added.
Over the last ten years, there have been more than 1.6 million accounts registered on DSLReports.com. Using the 8-percent listed by Beech as a base, this equals more than 135,000 accounts compromised. If you go by the listed “current login count” (~1.2 million), then the exposure is slightly less, at more than 101,000.
“If you are in the habit of sharing the same password among many sites…you should secure your access to those sites by changing your password immediately. Your first priority would be your email account if the password was shared with it,” Beech warned.
“Obviously having both an [SQL] attack hole (now closed) and plain text passwords is a big black eye, and I'll be addressing these problems as fast, but as carefully, as I can. My apology for any stress this causes.”
As mentioned, password sharing is a risky proposition. It happens all the time, and incidents like this are why the practice should be avoided. If you are looking for a list of passwords that are known to be easily cracked by criminals, look here.
There has been some flack given to Beech over his method of storing passwords. Given the age of the site, it is likely that the password system is a legacy system. Updates to it would have required large investments in hardware and development. These investments are costly, and it is possible DSLReports.com simply did not have the funds or development team in place to take on the project. They have little choice in the matter now.
To play things safe, if you have a DSLReports.com account, even if you did not get a warning letter, change your password. While you’re at it, today is a great day to select new passwords for other important accounts, such as email, social, and financial.