3 min read

CNET hacked! Registered users details stolen by gang demanding 1 Bitcoin

Graham CLULEY

July 15, 2014

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
CNET hacked! Registered users details stolen by gang demanding 1 Bitcoin

If you are a registered user of the CNET technology news website, it might be a good idea to put your emergency password plans into action right now.

That means changing your CNET password, and ensuring that you are not using the same password anywhere else on the net.

Although there is no indication that your password is in imminent danger, it seems a sensible precautionary measure after CNET admitted that hackers broke into some of its web servers a few days ago, and accessed a database of the site’s users.

A Russian hacking group called W0rm claims to have stolen the database of more than one million CNET’s registered users – including usernames, emails and encrypted passwords – having exploited a security hole in CNET’s installation of the Symfony framework, the behind-the-scenes software that ties all the pieces of its website together.

At the time of writing, CNET does not appear to have reached out to affected users to inform them of the security breach – but it has posted a news story about the hack, where CNET spokeswoman Jen Boscacci is quoted as acknowledging that “a few servers were accessed” and that the company “identified the issue and resolved it a few days ago.”

No details have been shared of how the CNET passwords might have been secured – in other words, what algorithm was used, and whether the passwords were salted and hashed, which would make them much more difficult for malicious hackers to extract and exploit.

Yesterday, the database was offered for sale via Twitter for the somewhat small price of 1 bitcoin (approximately $622), but the hacking gang’s spokesperson confirmed that this was being done primary to gain attention.

According to the report, a spokesman for the W0rm hacking gang told CNET that they hacked the site’s servers in order to raise awareness of security flaws, rather than for financial benefit.

The same gang has claimed responsibility for hacking the BBC, Adobe, and Bank of America websites in the past.

Looking at the screenshot displayed by the hackers of the compromised CNET web server does tell us something interesting. Clearly the hackers have carefully redacted sections of the URL they accessed, possibly in an attempt to prevent other copycat hackers from trying to break into the site.

If that’s right, then it does suggest that the hackers are more interested in shaming CNET into improving their web security than putting innocent users at risk.

Let’s hope that the hackers are true to their word about exposing weak security, and were joking about selling the CNET database for 1 Bitcoin. Even if the passwords aren’t cracked, it’s easy to imagine how the email addresses and other stolen information could be exploited by cybercriminals in phishing campaigns and targeted attacks.

And that, by the way, is why CNET should do the decent thing and reach out to affected users – warning them of the possibility of malicious emails and communications using some of the information that has been exposed.

It seems to me that that would be the responsible thing to do, and I hope that we see CNET confirm that they will inform their community of registered users in an appropriate fashion.

tags


Author



Right now

Top posts

The Holiday Guide to Tech Support: Fixing the Family Computer

The Holiday Guide to Tech Support: Fixing the Family Computer

November 24, 2021

2 min read
Bitdefender Celebrates 20 Years of Cybersecurity Leadership

Bitdefender Celebrates 20 Years of Cybersecurity Leadership

November 04, 2021

3 min read
Bitdefender Study Reveals How Consumers Like (and Dislike) Managing Passwords

Bitdefender Study Reveals How Consumers Like (and Dislike) Managing Passwords

October 26, 2021

3 min read
What are drive-by download attacks and how do you prevent them?

What are drive-by download attacks and how do you prevent them?

October 25, 2021

2 min read
Criminals Can't Wait to Add Your IoT Device to Their DDoS Networks

Criminals Can't Wait to Add Your IoT Device to Their DDoS Networks

October 22, 2021

2 min read
Six in 10 Consumers Faced a Cyber Threat in 2021, New Bitdefender Study Reveals

Six in 10 Consumers Faced a Cyber Threat in 2021, New Bitdefender Study Reveals

October 20, 2021

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Iranian Threat Actor Deployed Malicious PowerShell Script through Phishing, Then Stole Files and Credentials Iranian Threat Actor Deployed Malicious PowerShell Script through Phishing, Then Stole Files and Credentials
Silviu STAHIE

November 26, 2021

1 min read
Ukraine Arrests Five iPhone Hackers of the Phoenix International Hacking Group Ukraine Arrests Five iPhone Hackers of the Phoenix International Hacking Group
Filip TRUȚĂ

November 26, 2021

1 min read
Couple arrested for secretly installing cryptomining software on department store PCs Couple arrested for secretly installing cryptomining software on department store PCs
Graham CLULEY

November 26, 2021

1 min read