Treat your password like your toothbrush, don’t let anyone else use it and change it every six months. (Clifford Stoll)
It looks like HackersBlog have come out of retirement, and with a bang. (see here for an earlier interview I did with HackersBlog)
They have posted a couple of stories this month, one regarding a SQL injection vulnerability at gamespot.com which exposed the personal details of 8 million subcribers. From previous postings, you can do the maths and figure out how much that little lot would be worth in the underground economy. Happily the vulnerability at gamespot is reportedly fixed now.
The showstopper however is the vulnerability on the orange.fr website which was posted today. According to 2fingers over at HackersBlog a SQL injection vulnerability was discovered by fellow hacker Unu, that exposes not only the account details of almost a quarter of a million customers, but also their passwords in clear text…
Recently published research showed that 61% of people use the same password for multiple sites, so this kind of compromise represents real risk for many people.
HackersBlog state that they have alerted the folks over at orange.fr but have not yet received a response.
In the meantime, it you are an orange.fr customer and are concerned about the safety of any other online accounts you may have I would encourage you to change your passwords on those other accounts, and of course on the orange.fr web site.
From another, earlier posting on HackersBlog, it seems they may be posting some news about o2.co.uk soon as well…
Here are a few tips for maintaining password security online.
Choose three complex passwords, easy to remember but difficult to guess, us a combination of numbers, upper and lower case letter and special characters like !£$@&. (Trend Micro’s advice on password creation is available in our Safe Computing Guide).
Use the first password as a general one for the majority of sites that require passwords to login. The second password, use for your email account and only your email account. Finally use the third password for any websites that could have financial consequences such as online banking or payment sites.
Finally, for those of you out there hosting web sites that hold other people’s data, have a look at the guidelines in my earlier blog entry about Spotify…