Last weekend, the Syrian Electronic Army leaked the details of over 1 million Forbes readers, including their usernames, email addresses and encrypted passwords.
Forbes has updated its initial statement to confirm that email addresses have been exposed and to warn customers of the phishing attacks that might leverage the compromised information.
“The email address for anyone registered with Forbes.com has been exposed Please be wary of emails that purport to come from Forbes, as the list of email addresses may be used in phishing attacks,” the statement reads.
The login section for Forbes blogs has been disabled while the company is working on securing its systems. Once logins are brought back online, users are advised to change their passwords.
Security researchers from Sophos have analyzed the leaked data. Apparently, Forbes has been using the PHPass Portable format to hash passwords. The hashes are not easy to crack since each of them is salted and put through 8,193 iterations of the MD5 hash.
While a brute force attack against these hashes is 8,000 times slower that an attack against a simple hash, it’s not impossible to crack the passwords.
“Despite the fact that well-chosen passwords are hard to crack here due to the 8193 iterations needed to test each password against each user, we can tell you that plenty of users in the list have made poor password choices,” Sophos’ Paul Ducklin noted.
Experts have managed to crack around one quarter of the 500 passwords belonging to Forbes employees in an hour, on a regular machine. Some of the company’s staff used passwords such as “password,” “sunshine,” “changeme,” welcome1,” and combinations of “forbes” followed by up to four digits – for instance “forbes123” or “forbes1.”
Ducklin highlights that while the encryption system used by Forbes is much better than the one used by Adobe, it’s still not good enough.