SEDO security warning letter

[south]

So I am to assume our EIN numbers, contact phone numbers, etc were stolen as well?
Nice...

[SedoCoUk]

Hi all,

The email was sent out to SedoPro members, but if you use multiple parking companies then it is important:

We have been informed that due to a security problem at one of our competitors a list of their customer data including plaintext passwords is currently circulating on the web including relevant hacker forums.

Our Security and Compliance Team has found several of our own customers matching the publicly available list. Due to the seriousness of this matter combined with the possibility that you might be using the same login data/password at more than one parking company, we strongly suggest you to change your password at sedo.

sedo uses cryptographically unbreakable ciphertext for password checks and does not store your password in plaintext. This, and a variety of other security measures, ensures that your Sedo account is always safe from third parties.

We generally recommend to always use different login IDs for different sites and never hand out login IDs to any third party.

Should you have any further questions or needs, your dedicated account manager is looking forward to help.

Kind regards,
Your Sedo Security & Compliance Team

With regards to some of the points made above... I think out of professional courtesy it is correct to not call out a particular organization. However, as we have clients who use multiple parking companies, it is our responsibility to advise people that it may be wise to update their password.

Best,

Tom

[Acro]

Tom, I think that it's more offending to call another PPC company a "competitor" than to name it directly, thus assisting in users taking direct steps in changing their passwords. I understand that even sending out that email is a step in the right direction, however I had to visit DNForum in order to find out which PPC company's data was leaked.

[jdomains]

This is why I have a different password for every single site that I login into lol

[draggar]

I just got this form NameDrive:

Hello,

This is a mail to inform you that a minimal number of NameDrive accounts
were the targets of a security breach recently.
This affected less than 1% of our database.

While we do not believe that your account has been affected and we have
no indication of unauthorized access, we are informing you as a
precaution that you should change your login passwords to any other
online programs for which you use the same password as you do to log
into NameDrive.com.

Your NameDrive password has already been changed automatically for you.

If you haven't already done so, you can retrieve your new password by
logging into your account on the NameDrive homepage.

While we have always had strict security measures in place, we have
taken yet further measures to enhance our security measures with
immediate effect.

If you have any questions, please feel free to contact us at
info@namedrive.com.

Your NameDrive team

[Acro]

Yeah I got it too about an hour ago.

[Carter]

Acro it's time you write an article on your blog about this scandalous fact.

[nts]

a list of their customer data including plaintext passwords

Plaintext passwords, really? I find it very disturbing that any site, let alone namedrive, would take the risk of storing passwords without hashing them...

[Acro]

There is no indication the plaintext passwords were stored as such with ND or if they were bruteforced. Hashed passwords are more secure in the sense that they require reversal but they are not uncrackable. The hackers apparently compromised a ND server that contained customer data and perused it for their benefit. Anyone knows where the data was posted at?

[katherine]

Plaintext passwords, really? I find it very disturbing that any site, let alone namedrive, would take the risk of storing passwords without hashing them...

I know of a few registrars, including one that puts great emphasis on security, that don't see anything wrong with storing passwords in plain text (cough cough).

[dvdrip]

I know of a few registrars, including one that puts great emphasis on security, that don't see anything wrong with storing passwords in plain text (cough cough).

Which one? Please PM if you don't want to say.

[Focus]

these companies are totally frickin wreckless with our important & sensitive data, geez

[katherine]

It's easy to find out.
Try the password reminder feature of your registrar.
If your password is on file it can be mailed to you. If it's encrypted using a hash (one-way) algorithm than you have to choose another one.
Hashing doesn't really help if your password is weak - it can be reverse-engineered easily - but it helps mitigate the risk in case of data breach.

[kamilaseo]

Noted

[Johnn]

Noted

Stop spamming

[katherine]

Today I requested my new Namedrive password and I notice something funny.
The new password actually reads like this:

{my previous password}_1137884883

I though to myself, this password is not random and the number looks like a Unix timestamp.
So let's run it in mySQL:

Code:

SELECT FROM_UNIXTIME( 1137884883 )

=> 2006-01-22 01:08:03

I believe this is my registration date !

So I think Namedrive just ran a quick & dirty SQL query instead of using a random sequence.
Let me reverse-engineer the SQL that was used:

Code:

UPDATE members SET user_password = concat( user_password, '_', UNIX_TIMESTAMP( reg_date ) )

BTW I'm not keeping that default password, thank you.

[Acro]

NameDrive, please fire that programmer. There are plenty of alternatives in the market today.

[katherine]

So it means that if the hackers have got these two fields from the database:

• old_password (in plain text)
• reg. date time

they already have the new passwords. They just have to derive them.

BTW nobody from Namedrive has posted here yet

[Acro]

I hope the NameDrive database programmmer is working extra time this weekend to save his ass. This is extremely bad programming practices and when I ripped sedo in the past for something similar they fixed it in 24 hours quite well.

[katherine]

Now that I changed my password, I asked for a reminder.
I got my password mailed to me so they are still stored in plain text.
When will people ever learn ?