The Syrian Electronic Army (SEA) has struck again, this time attacking the account records of more than a million Forbes readers and contributors. A total of 1,071,963 users were affected when the database that held their email addresses and correlating passwords was exposed and shared online by the cybercriminals. Three Forbes articles were vandalised and the company’s blog went dead as well. But how was the SEA able to strike such a large infrastructure?
It’s believed Forbes stored user information in a PHP Portable format. Essentially, this means every password and a random salt, used to slow down attackers, were run through the MD5 algorithm. This algorithm is a popular cryptographic hash function that’s commonly utilised to verify the legitimacy of data. Forbes ran 8,192 duplications of MD5 on the hash and password and then stored the results in their database.
The SEA then came in and took this stored information to play what turned out to be a harmful guessing game. They tried out random everyday passwords, like “ABCD,” with users’ salts, producing a hash, which was then referenced with Forbes’ database. When matches were made, passwords were exposed.
Although the passwords were one-way encrypted, Forbes is urging its readers to change their login information, saying:
The email address for anyone registered with Forbes.com has been exposed. Please be wary of emails that purport to come from Forbes, as the list of email addresses may be used in phishing attacks. We have notified law enforcement. We take this matter very seriously and apologize to the members of our community for this breach.
The major issue here is the fact that people tend to use the same username and password for multiple accounts. So any Forbes reader who had their information shared publicly, that uses the same username and password combination for other accounts, is now at risk for a broader, multi-platform attack.
This is why we cannot caution you enough against this method of operation. If one of your accounts is attacked, the rest are vulnerable, and cybercriminals are well aware of this fact. We therefore urge you to utilise password manager, which allows you to store strong, individual passwords for each of your online accounts, ensuring a breach of one profile will not mean a total loss of information across all of your active platforms.