
UserVoice Security Incident Notification - RossP
https://community.uservoice.com/blog/uservoice-security-incident-notification/
======
tempestn
Another thread on the incident report here:
[https://news.ycombinator.com/item?id=11664713](https://news.ycombinator.com/item?id=11664713)
[https://status.uservoice.com/incidents/fb7ml8b3nphf](https://status.uservoice.com/incidents/fb7ml8b3nphf)

There's a bit more info in this one about exactly what was compromised though.
While I can understand the abundance of caution in resetting passwords despite
only hashes and salts being lost, it is odd that they would "[presume] the
attackers may be able to decrypt the passwords," assuming they're using strong
encryption.

~~~
runesoerensen
I wouldn't call resetting passwords an "abundance of caution" in this case.
It's very likely that the attackers are able to retrieve passwords when they
have the SHA1 hash and the salt (not exactly by decrypting though).

Here's a good blog post how and why this is problematic:
[https://www.troyhunt.com/our-password-hashing-has-no-
clothes...](https://www.troyhunt.com/our-password-hashing-has-no-clothes/)

~~~
tempestn
Do they say somewhere that they're only using sha1 though? That's sort of what
I meant: if bcrypt or scrypt is used, with an appropriate work factor, the
risk should be very minimal. The fact that they're assuming it's not suggests
they are using weaker encryption.

~~~
runesoerensen
Yes they said that in the first paragraph of the incident report you posted a
link to ;)

 _Unfortunately, the passwords were hashed with the SHA1 hashing algorithm,
which by today’s standards is considered weak_

Also, hashing != encryption

~~~
tempestn
Ahh thanks. I read the email they sent out, which had very similar content,
but omitted that bit. Just skimmed the post itself, but obviously missed that
key info.

Interesting that they don't include strengthening their encryption (ok,
hashing) in the list of steps they plan to take, but presumably they will.

~~~
runesoerensen
From the same incident report: _When users reset their password, we’re going
to be hashing it with the bcrypt algorithm with a strong cost value._

~~~
tempestn
My god, I swear they're ninja editing the thing on me! I'm really not normally
someone to comment before RTFA. Thanks for patiently leading me through it. :P

------
RossP
"In late April, the UserVoice security team learned that an unauthorized party
illegally accessed one of UserVoice’s backend reporting systems and was able
to view user data on a small subset of users. The user data includes name,
email, and a hashed password and salt. Unfortunately, the passwords were
hashed with the SHA1 hashing algorithm, which by today’s standards is
considered weak. As such, we’re resetting the passwords for all users in our
database."

Further information:
[https://status.uservoice.com/incidents/fb7ml8b3nphf](https://status.uservoice.com/incidents/fb7ml8b3nphf)

------
nacs
Just got an email from Uservoice about this.

Apparently I'm part of the "0.001%" that was affected in the breach.

~~~
nsgf
Me too. Maybe 0.001% is not accurate.

~~~
snoonan
seconded. I got one too. It seems unlikely we'd converge here if it was only a
tiny fraction of users...

~~~
nsgf
Funny thing, 37 minutes after receiving the first one, i received another
notification on a secondary e-mail (also a gmail account) that is used for a
toy project's free UserVoice account and is totally unrelated to the first
one).

