The hacking Vikings have hit Samsung-owned web TV sharing service Boxee.tv, reportedly pillaging a 158,000 user database of forum users later posted to a Tor Internet site and at least one researcher.
News of the breach, believed to have taken place around 10 March, emerged via third-party Australian security researcher Scott A. McIntyre, who confirmed on Twitter that he'd been emailed a dump of the 792MB MySQL database.
According to Ars Technica, the personal data related to 158,128 forum accounts, including email addresses, birth dates, IP addresses, message histories, and password changes. The data also included hashed passwords used to access the service itself.
Compounding the leak, a sizable number of the accounts were banned users, said an article on the Risk Based Security forum.
An odd dimension to this incident is the information vacuum that has opened up around the firm, bought by Samsung last July and operating a placeholder website since then. Days on from the first stories, Boxee or Samsung have yet to comment on the apparent breach security let alone what users should do about it.
The firm’s development effort appears to have been assimilated into Samsung’s some weeks after its acquisition. So far the only warnings of the attack have reportedly come from password management firm LastPass but this will only reach a subset of the breached users.
More generally, data breaches of this sort have exploded with half of the largest ever recorded happening in the last year with a growing number of smaller ones hardly recorded at all.
The long-term effect of multiple small breaches could still be to undermine important elements used to identify millions of people, a recent analysis from NSS Labs has argued. Criminals could hold so many nearly complete identities containing data that cannot be reset – birth dates, names, social security numbers – that these could become less and less reliable as personal markers.