April 28, 2011

The New York Yankees and DSLReports.com responsible for 30,000 more data loss victims

Great. I was one of those who was hacked. Even though I rarely go DSLReports anymore. Didn't matter, since I was there in the past twelve months, my account was compromised. I got an e-mail from the site owner telling me so. Fortunately, it was a throwaway account that I rarely use. I only found out about this from Sophos "NakedSecurity" blog. I'm shocked that after all these years, when Justin's own site pushes security, that he left these accounts wide open. He got a well deserved slam in this article:

Article here

The New York Yankees and DSLReports.com responsible for 30,000 more data loss victims

by Chester Wisniewski on April 29, 2011

This message may repeat. This message may repeat.. For those of us old enough to have fond memories of the phonograph, the phrase "broken record" may come to mind.

Yes, more user information has been leaked and in a totally preventable fashion. A season ticket sales representative for the New York Yankees accidentally emailed a spreadsheet to "several hundred" affiliates with the personal details of over 21,000 Yankees ticket holders.

According to the Yankees, the spreadsheet contained customers' names, addresses, phone numbers, fax numbers, e-mail addresses and other information like their seat numbers and which ticket packages they purchased.

Implementing data loss prevention (DLP) for sensitive customer data is easy to do. There are at least three ways this could have been prevented...

1. Encrypt the spreadsheet to prevent accidental disclosure
2. Implement endpoint DLP software to watch for the transfer of sensitive data to instant message, email and other communication tools
3. Scan outgoing email messages for personally identifiable information to prevent accidental disclosure.

Later this afternoon DSLReports.com disclosed that they had been the victims of a SQL injection attack that succeeded in stealing usernames and passwords. Justin, the owner of DSLReports, wrote in a forum message that a "sql injection attack by a botnet on wednesday afternoon obtained a large number of email / password pairs."

Strangely, Justin stated that he had notified account holders who either created their accounts in the last 12 months, or had logged in over the last 12 months. This seems like a terrible practice. Many users have had accounts for more than 10 years and may not even remember having created one.

To not notify everyone who may have been affected seems to be a lapse in judgement, but it gets worse. All of the passwords in DSLReports' database were in clear text. No hashing, no salting, totally unencrypted.

Once again we find that if we re-use passwords for seemingly unimportant websites, we may be putting our reputations at risk. You can count on the attackers trying to use these email addresses and passwords on as many popular sites as possible.

They may only use them to spread forum spam, but do you really want your name/profile/identity associated with this kind of activity?

Posted by Valkyre at April 28, 2011 11:25 PM