Cake
  • Log In
  • Sign Up
    • I got an email today from 500px asking me to update my password. Whenever I get an email like that I usually do some quick search to make sure this isn't another phishing scam before pressing any buttons in the email. This led me to an article that @yaypie posted with even more scary information and breadth of the breach.

      As a 500px user it makes me angry that my personal information is out there to be sold to anyone anonymously with some Bitcoins:

      14,870,304 accounts for 0.217 BTC ($780) total

      1.5GB of data taken July 2018. Each account record contains the username, email address, MD5-, SHA512- or bcrypt-hashed password, hash salt, first and last name, and if provided, birthday, gender, and city and country. 500px is a social-networking site for photographers and folks interested in photography.

      How can I as a customer defend myself against company-wide attacks? I can only choose my password and provide incomplete information about myself, which is important for a social network of photographers. For many of us our real name is our brand.

    • Yes, indeed. Security best practices are there for a reason, well known, and well understood. Not using them should probably be grounds for malpractice lawsuit.

      With that in mind, imagine my feelings when after forgetting the password to my (state owned) electricity co and clicking 'forgot my password' link, I got my original password, in cleartext, in my mail. :-)

    • Whenever you get a mail of that sort, don't click on it. Instead, good security practice is to go to the website in question, directly, by manually typing the address in the browser and check it out there. If it's legit, you'll see it on their site.

    • Thanks for bringing this up, @yaypie. Password hashing and salting a hash must be arcane concepts to non-programmers ("First you're not even storing my password, and then you're adding random garbage to what you store - how can this even work?"), but this is very important to every single one of us who has at least some important data secured by one of these things. :)

      A quick back-of-the-envelope calculation shows that only a quarter of passwords in this hack were stored in a secure way, with the security of the remaining remaining quarters being either dubious (MD5+salt?; same salt for the whole table?) or outright crazy. This just isn't enough!

      My last encounter with someone not quite understanding the value of hashing and salting correctly is much less spectacular than this, but still shows the general problem:

      Last year, I participated in a prize competition where I had to enter my mail address. After doing that, I received a mail stating that I needed to confirm my address for GDPR reasons. This mail contained a link for me to click on, which was built like this:

      <domain>/confirm/?mail=factotum@example.com

      The URL contained my mail address as plain text! I would have been able to "confirm" any random address I added to their database, even without having access to that mail address. Using the right addresses (some privacy lawyers come to mind), this could have caused them a good amount of trouble.

      I contacted them and explained the issue - and they replied, thanking me for bringing this up and mentioning that someone "is working on solving the problem (MD5 hash)". This mention of a hashing algorithm was oddly specific, so I tried participating again from a different address. In fact, the link I received this time was

      <domain>/confirm/?hash=cd13b6a6af66fb774faa589a9d18f906

      Using an MD5 hash generator, I quickly confirmed that the hash used was created from the mail address string without any salting. They changed the process slightly, but didn't make it any more secure than it was before. Obviously, they didn't have any real understanding for what hashing (and salting) really is.

      (Try it out yourself: how long do you need to find out what this hash stands for?)