I was going to push an article about something completely different that has been on the back burner for a good amount of time, but this is more important. Sorry for the lack of detail and my terse tone, but I expect better of large sites making amateur moves. I’m not saying I have never messed up: I have, but I learned from it* (“never push prototypes”) and never at this scale. The basics I sent to the site admins are enough for them to act on. I sent this out tonight. (Note: this is also why I don’t use email addresses for half of an account’s login credentials.)
Upon trying to login today to create a *******, I got a warning that the login page (now a pop-over) is not running through port 443 (SSL encrypted). I have decided to abort the login process because my email and password would be transmitted over the internet in the clear. My previous visits did have encrypted login. So thanks to someone who updated the site without running a regression test nor searching for glaring security hole you guys probably have a some users whose passwords have already been mined and exposed (LPH * HSU to calc how many people have been exposed) to allow crackers to get more pieces of info on account holders in order to steal their identity.
Combined with enough info (such as the recent Chase crack, Yahoo crack, or Sony crack) the crackers can try collected emails and passwords attached to them against known accounts with the same email to see which users use the same password on multiple sites. Then it is a simple matter to just run a script to try to login to all the popular sites — FB, G+, Amazon, Bank sites etc. to get into people’s accounts. Good job ;\
Very sloppy update.
About all I can say is that no matter how good your password is, reusing the same password on multiple sites means if someone else is sloppy with it, as above, you are exposed to having someone take over every account that uses this same password, and any account linked to an email with this recycled password. And since it is difficult to come up with unique passwords and not write them down, using a password manager such as 1Password is recommended (just use a good unique password for your password manager).
Obscurity and Encryption are not the only tools, just a few layers of in-depth defense I myself learn a bit more about every day. If you want to learn more about securing your site, check out SecurityPatterns.org.
(*The mistake I mentioned above didn’t cause a data breach, but still: now even my prototypes sanitize the input because I formalized a utility class with a static input filter method.)
UPDATE: this article published today http://appleinsider.com/articles/14/10/14/hundreds-of-dropbox-credentials-leaked-online-company-denies-breach and my prior article on Dropbox Email Scams could be inter-related as well as the above. Again, this could very well be an example of what happens when you use the same password on multiple accounts. So, be safe and don’t do it. Other than making myself type that a thousand times on a blackboard page of my site, (which would be cool if the Simpson’s opening used this BTW), I can’t emphasize strongly enough how dangerous using the same password (or dictionary words with a few numbers like “protected123”) is.
Oh yeah: I forgot my usual sign off in my haste to post last night: Thanks for reading.