Literary website Writerspace.com has admitted that almost a quarter of the 62,000 email logins published after an attack by LulzSec came from its user database.
In a warning note on the site’s homepage, Writerspace said that that 12,000 of the leaked email logins were from its members and said it was in the process of contacting the individuals concerned.
“We want to assure our readers that we take our responsibility for protecting your personal information very seriously. Unfortunately, there are people who make it their mission to find and exploit any vulnerability no matter how secure the system,” read the note.
The site also noted that LulzSec had recently hacked the CIA website and US Senate, glossing over the fact that neither of these hacks involved the loss of thousands of email addresses and passwords.
Writerspace then advised users to “make sure the passwords for all of your online accounts adhere to industry security standards,” again sidestepping the possible weaknesses of any login system that re-uses email addresses as user names, or simply stores email addresses and passwords together for recovery purposes.
It is not clear that writerspace used email addresses for logging in but sites that do so run the risk that users will re-purpose the same logins over and over for multiple sites. This gives anyone hacking one database a way of launching speculative attacks against others using the same information. LulzSec itself makes this weakness part of the point of its attack, encouraging sympathisers to try the logins across different sites.
Better advice would be that anyone whose login was published as part of the leak should change logins on any other sites that might use the same email address as authentication.
“Security techs are scouring the site now,” said Writerspace in a tweet. “There's no indication that the site itself has been hacked but we'll post info asap.”