British horse racing bible Racing Post has had to suspend member access to its website while it clears up the mess caused by a weekend breach of a customer database.
“The Racing Post apologises for the inconvenience and worry caused to our customers by a malicious attack on our systems,” the paper began its notification using the now familiar tone adopted by numerous other sites in the same situation.
The site hasn’t specified how many accounts holders have been affected, nor the number of users affected (the physical newspaper has a circulation of between 50,000 and 60,000), but described the attack as “sustained and aggressive.”
One database was breached while “we believe others were subject to similar attacks at the same time,” the notification said.
The information grabbed depended on the data entered when customers signed up but included first and last name, email and customer address, date of birth and an encrypted password, Racing Post said.
Normal procedure is for sites to advise customers to rest their passwords, but that functionality remains suspended on Racing Post’s site “until such time as we are satisfied that it is 100 per cent secure and cannot be breached or accessed in any way by hackers.”
“Please do not click on any links in any email purporting to come from a Racing Post address in the meantime,” the paper added, clearly aware of the danger of breached account holders receiving phishing emails.
The fact that the paper has yet to reinstate registration and login is a sign of the seriousness of the breach. The site said it was working with cyber security experts to ensure that the hack was not repeated and access would only be allowed when the paper believed the site to be completely secure.
“From what the Racing Post has published thus far the attack appears to be an ever common web application vulnerability that was exploited in order to compromise the database,” speculated NCC Group cyber incident response director, Lloyd Brough.
“While it is positive they have been quick to disclose the breach, providing further technical details on what type of encryption was used for the passwords would have helped inform technical users,” he said.
“We often see organisations claim encryption where in actual fact they are using hashing via algorithms such as MD5 without salts or iteration counts. If this is the case then it is little better than using unencrypted password due to the trivial nature of recovering them.”
There has been a recent rash of online breaches, including that affecting 860,000 users at the MacRumours forum, 42 million at Cupid Media, and perhaps the most significant of all, the 2.9 million account raid on software giant Adobe. Increasingly, these seem occur as part of inter-connected campaigns.