The second breach that yielded more user passwords was on the Android Forums hosted. With this hack we have a little more detail as one of the community managers has posted that a server hosting the forum was compromised and the database for the forum was accessed. The surprisingly open comment from Phases, in this case, is unusual but very welcome from an online forum that play host to upwards of one million users.
Phases put it very clearly in this statement that we would like to see from other companies;
“The trust of our users is extremely important and several staff members worked through the afternoon, evening, night, and morning to ensure we're doing everything possible to regain complete security.”
The post then goes on to describe the facts in the breach, the potential reasons and how’s up to a point is… well they stopped short of actually detailing the methods used (not surprising). We wonder if this was another UNION SQL injection as that method is becoming popular across many sites (since it is yielding some good results). One of the smartest things that the Android Forums did (in addition to actually informing their users) was to secure the admin accounts quickly. It was once a popular technique to compromise an admin account on a forum and then use the internal engine to send spam out to all of the registered users of the forum. We have also seen those compromised accounts used to disable other parts of the forum and many other malicious items.
No matter how you slice it security for all online services needs to become a primary concern complete with proactive steps to protect user information. This is in contrast to many companies that look at security and updates as a secondary concern and react to the threats that are out there only when one happens. We are pretty sure from the tone of the Android Forums and many others that have been breached in the past few days that they will be giving security a little more attention moving forward than they have been. As of this writing no one has taken responsibility for either of these two breaches so it is possible that the attacks were not successful or did not yield enough data to warrant an announcement. Still we highly advise people to re-think their choices of passwords and to start using different passwords for different sites. This last one is probably the biggest issue with multiple online accounts as most people do not want to try and remember complex passwords for all of the places they visit online.
Discuss this in our Forum