from the "when-will-they-ever-learn..." dept.
Submitted via IRC for TheMightyBuzzard
Weebly, a popular web-hosting service featuring a drag-and-drop website builder, has been breached, and email addresses/usernames, IP addresses and encrypted passwords for some 43 million users have been stolen.
Unfortunately, the company did not notice the breach when it happened, around February 2016. They were notified of it once LeakedSource got its hands on the stolen data.
"Unlike nearly every other hack, the co-founder and CTO of Weebly Chris Fanini fortunately did not have his head burried [sic] deeply in the sand and actually responded to our communication requests. We have been working with them to ensure the security of their users meaning password resets as well as notification emails are now being sent out," the group noted.
Weebly also published a security update on the site, explaining what they did once they were made aware of the breach:
- Confirmed the authenticity of the data
- Called in security consultants to help with the investigation
- Reset passwords of affected users and notified them via email
- Took steps to enhance their network security to prevent future breaches
- Implemented tougher password requirements
- Set up a dashboard for users to monitor their log-in history.
Source: https://www.helpnetsecurity.com/2016/10/21/weebly-breach-confirmed/
(Score: 0) by Anonymous Coward on Saturday October 22 2016, @06:10AM
at least the passwords were encrypted in this case
(Score: 0) by Anonymous Coward on Saturday October 22 2016, @06:12AM
and people laugh at me for using client-side password hashing
queue the dipshits that have absolutely no fucking idea what i'm talking about in 3... 2... 1...
(Score: 0) by Anonymous Coward on Saturday October 22 2016, @02:32PM
... yes? You called?
(Score: 0) by Anonymous Coward on Saturday October 22 2016, @05:31PM
I always thought that client side-hashing should have been in the HTML5 standard. Make it such that input elements of type "password" have an optional attribute called "hash" and one called "salt." If it is populated with a hashing algorithm, then the client computer does said hash and submits that data as the password, possible Base64-encoded or just in hexadecimal. For example, "<input type="password" hash="SHA-512">" would put it through a single round of SHA-512 unsalted and that hex or base64-encoded. If you run a website and want it more secure, you could specify something like PBKDF2 or bcrypt like so "PBKDF2(SHA-512, 100000)" with a salt attribute specified. Lastly, when generating passwords, you can specify an invalid salt string, such as "*" or "?" and the client would use that as a signal to generate their own salt.
An additional benefit of client side hashing would be that since the load of hashing and whatnot are spread out among clients, there is a better chance that higher iteration counts would be used.
(Score: 0) by Anonymous Coward on Saturday October 22 2016, @05:34PM
Oh, and that obviously doesn't obviate the need for server side hashing and security as well. The reason for that is because the hash you generate effectively becomes the shared secret that both sides need to protect.
(Score: 0) by Anonymous Coward on Sunday October 23 2016, @01:02AM
Of those 43 people affected, how many have actually heard of Weebly?
(Score: 0) by Anonymous Coward on Monday October 24 2016, @01:50AM
I received the email but I never created an account there.
Turns out I have an account to my name (email).
How come? I suppose the account was not confirmed by email.