Google Search

Thursday, August 22, 2013

Reputation.com resets all user passwords following breach

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

Reputation.com, one of the places that helps to bury negative search results about you, has been hacked.

The online reputation management company on Tuesday sent a letter to customers telling them that its network security personnel had recently discovered and "swiftly shut down" an external attack on its network.

Reputation.com email

Reputation.com said in the letter that the intruder(s) managed to siphon off names and email and physical addresses. In some instances, phone numbers, dates of birth and occupational information was also filched.

On top of that, a list of salted and hashed passwords for "a small minority" of users was accessed, the company said.

Although it's "highly unlikely" the passwords could be decrypted, the company immediately changed all users' passwords, it said.

What was not accessed:

Financial information, such as credit card numbers or bank account information, which the company doesn't store (hurray!), Social Security Numbers and drivers license numbers, which the company doesn't request (hurray!), Account details, including why users retained Reputation.com's services (hurray! I imagine that could get embarrassing and potentially be used to make negative content about users zoom back up in search results), Communication between users and Reputation.com, and Any details about the services users have received.

An interesting point is that the extent of the breach didn't trigger any legal obligation, worldwide (except for the US state of North Dakota. Hurray North Dakota!) to tell users about the breach, but the company thought it was important enough to let them know anyway.

Hacked image, courtesy of ShutterstockIt's such a kick in the teeth.

You think you find a site that helps you keep your private data from dribbling out of the myriad online places that siphon it off.

You imagine that the online sliming left by trolls, unhappy customers or whomever's out to get you has been, if not strangled entirely, at least buried far enough down in search results that its babbling just might be muffled.

Then somebody or somebodies goes and tries to stick a pin in those mission statements.

Well, it appears that Reputation.com's work to do those things hasn't been compromised by the attack, and much of the reason for that has to do with good security practices.

So kudos for going above and beyond disclosure requirements, and kudos for salting and hashing passwords, Reputation.com.

Follow @LisaVaas
Follow @NakedSecurity

Hacked image courtesy of Shutterstock.


View the original article here