SoylentNews is people
SoylentNews
Plaintext passwords, usernames, e-mail addresses, and a wealth of other personal information has been published for more than 2.2 million people who created accounts with ClixSense, a site that claims to pay users for viewing ads and completing online surveys. The people who dumped it say they're selling data for another 4.4 million accounts.
Troy Hunt, operator of the breach notification service Have I Been Pwned?, said he reviewed the file and concluded it almost certainly contains data taken from ClixSense. Besides unhashed passwords and e-mail addresses, the dump includes users' dates of birth, sex, first and last names, home addresses, IP addresses, account balances, and payment histories.
A post advertising the leaked data said it was only a sample of personal information taken from a compromised database of more than 6.6 million ClixSense user accounts. The post said that the larger, unpublished data set also includes e-mails and was being sold for an undisclosed price. While the message posted over the weekend to PasteBin.com has since been removed, the two sample database files remained active at the time this post was being prepared. The Pastebin post, which was published on Saturday and taken down a day or two later, read in part:
[Continues...]
HUGE new leak! from the clixsense.com site:
~databases including 'users' with 6,606,008 plaintext pass, username, emails, address, security answer, ssn, dob.
~emails business + personal (more than 70k emails sent+received)
~source code for site (complete)The post went on to say that most of the compromised personal information was current as of last month and that e-mail and some of the other data was last updated earlier this month. If true, that would make the data much more valuable than many of the recent leaks such as the one from Dropbox, which dates back to 2012.
[...] [ClixSense owner Jim] Grago also said ClixSense issued a mandatory password reset for all users shortly after the trouble began. An announcement on the ClixSense website said the database compromise involved an old server that was no longer in use but still had access to the database server. The old server has since been terminated. The announcement made no mention of the personal information circulating online or what precautions users should take now that such a vast amount of their personal information has gone public.
[...] When a service asks for a home address, birth date, or other data, consider whether there's really enough benefit in providing such data. In the case of ClixSense, which is often portrayed in promotions like this one on social media sites, I strongly doubt it's worth it at all, given that the database stored the passwords in plaintext rather than following standard industry practices. In other cases, it may be possible to provide incomplete or completely incorrect answers to requests for addresses, birth dates, and other personal details.
The mind boggles at how much information people are willing to give up in exchange for so little.
(Score: 2, Interesting) by Anonymous Coward on Sunday September 18 2016, @05:55PM
Use different passwords for different sort of stuff, make them hard to guess but don't waste your time making them so strong. They aren't going to brute force your password over the web/net- if your password is strong enough that brute forcing it over the net would be like DoSing the site then it's strong enough.
If someone is brute-forcing your password "locally" the site is already pwned and it usually doesn't matter how long your password is - they can get the password the next time you enter it or change it (e.g. site announces we got hacked, please conveniently change your passwords now*, even though we can't really be sure we have fixed all the holes the hacker can exploit ;) ).
Save your strong passwords and strong password construction formats/styles for stuff where it actually matters (e.g. the weak link is your password and not some cheap outsourced labour in Support or similar**). That way those trying to crack your strong passwords can't tell how you construct them based on the weak passwords you use on the hackable sites :).
* If you use the same passwords elsewhere, change them elsewhere (they may be expendable accounts but still worth keeping around), don't waste your time changing it on the site that was hacked. If it matters and is possible tell them to ensure your account is deactivated till they can guarantee they have got their act together.
** Fact is companies like to provide cheap and easy ways for people to break into their own accounts. Because in real life that's what most people need. They need that more than they need real security. They forget their passwords. Their lose their OTP thingy. So in many cases you can call Support, whine enough, or add crying baby in background and Support will give the account to you. They meet their SLAs, 90% of the customers get what they want and less than 0.1% get pwned that way***. Win-win.
*** Most hackers prefer thousands or millions of accounts. So they'd use the "Support" method for more targeted strikes - they might have a list of accounts that are worth targeting (e.g. famous person, MMO accounts that are likely to have lots of valuable stuff to resell).