X

DSLReports says member information stolen

Founder of the ISP news and review site apologizes for storing passwords in plaint text in the wake of attack and theft of user information.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
See full bio
Elinor Mills
2 min read
 

Subscribers to ISP news and review site DSLReports.com have been notified that their e-mail addresses and passwords may have been exposed during an attack on the Web site earlier this week.

The site was targeted in an SQL injection attack yesterday and about 8 percent of the subscribers' e-mail addresses and passwords were stolen, Justin Beech, founder of DSLReports.com, wrote in an e-mail to members. That would be about 8,000 random accounts of the 9,000 active and 90,000 old or inactive accounts created during the site's 10-year history, Beech said in an e-mail to CNET today.

"The data was taken on Wednesday afternoon, recognized and blocked at 7 p.m., and by Wednesday evening all the active accounts received e-mail notifications advising them to change their password if they share it with that e-mail address and all passwords were changed at that time," he wrote. "My hope is that few if any members will actually lose more than time to change passwords that they share among other sites."

The site has reset the passwords for those affected and members who use the same password on other sites, as noted above by Beech, were urged to change those passwords to prevent those accounts from being compromised.

"I've no idea what the purpose of this attack was, or how long before they try using the data, but I imagine the data will be searched for possibly high value access elsewhere: PayPal, eBay, Gmail, banking sites," Beech wrote in his e-mail to members. "They got no other details, just e-mail and password pairs."

The e-mail included a link to the forum section of DSLReports, in which Beech included more information and apologized for not encrypting the passwords in the database.

"Obviously having both an SQL injection attack hole (now closed) and plain text passwords is a big black eye, and I'll be addressing these problems as fast, but as carefully, as I can," Beech wrote. "My apology for any stress this causes. If you are like me you've also got the PSN network issue hanging over your head as well."

The news comes on the heels of a large data breach at Sony PlayStation Network that potentially affects 77 million accounts. Sony says customer names, passwords, addresses, e-mail addresses, birthdays and user names were exposed, but can not say whether or not credit card information is at risk.