
8tracks Password Security Alert - achairapart
https://blog.8tracks.com/2017/06/27/password-security-alert/
======
cyberferret
Ok, so the breach was via an employee's Github account that wasn't secured
with 2FA. I understand that would have given them access to the source code
for 8tracks, but HOW did they get access to database credentials?? I would
have assumed best practice would dictate that database server IP addresses and
access credentials would have been in a configuration file that is NOT checked
into version control??

Most companies go to great lengths to extract credentials, keys and other
sensitive information into some sort of environment file, don't they?

Unless they had a copy of their database in text/JSON/XML format uploaded to
version control as well??

~~~
hamandcheese
The backups could have been stored in a system protected by github SSO
perhaps.

~~~
cyberferret
Ah, I hadn't thought of that. Makes sense that this could have been the case.

------
matt_wulfeck
> _If you signed up via Google or Facebook authentication, then your password
> is not affected by this leak_

This is why it drives me _crazy_ when I click "login using google" and then it
immediately prompts me to create an account with only my email filled in.

~~~
joneholland
Thanks for letting us have access to all your personal data!

~~~
colechristensen
This is not how "login with google" works. Instead it's using
Google/Facebook/whatever as a trusted third party to authenticate you.

~~~
cyphar
But Google/Facebook/whatever can trivially link all of your accounts through
the SSO (and when you access your accounts). Of course, Google can get some of
that information from GMail and both can get it from tracking (and GP was
talking about the other way around), but it is something to consider.

------
phreack
What I'd like to know and is lacking from this disclosure is what data they
stored and was leaked from users, and the hash algorithm they used.

~~~
achairapart
Motherboard[0] talks about 18 million accounts compromised, stolen data
includes usernames, emails and SHA-1 hashed passwords.

[0]: [https://motherboard.vice.com/en_us/article/mbjm83/hacker-
ste...](https://motherboard.vice.com/en_us/article/mbjm83/hacker-steals-
millions-of-accounts-from-internet-radio-service-8tracks)

------
kentt
> Although the decryption of one particular user’s password through brute-
> force techniques is unlikely,

This doesn't seem true to me given that many people use weak passwords (even
when they think they don't).

------
GrumpyNl
Here we go again. We see these happening to often.

------
TekMol
That the Github account did not use 2FA does not explain the breach. How did
the attacker get the password?

------
Rjevski
At least the passwords were hashed. I wonder what hash they used though. I'm
tempted to bet good money it's going to be an inadequate one like SHA1 or a
completely broken one like MD5.

~~~
meowface
When the purpose of hashing is protection of passwords, MD5, SHA1, SHA256,
etc. are all effectively equally broken. MD5 vs. SHA1 makes no real difference
here.

You can usually tell a company's security posture when they say "all passwords
were hashed and salted" without listing the hashing algorithm. If they're
using an algorithm actually suited for password hashing, like bcrypt, they'll
usually state the name of the algorithm.

~~~
Rjevski
To be honest I know that MD5 vs SHA1 or SHA512 is irrelevant in terms of
password hashing, but personally seeing SHA512 would make me laugh a little
less than MD5. Both are inadequate for this particular use-case, but at least
seeing the modern hash would mean they tried to do the right thing.

------
ec109685
Wish all sites let you login with one of the big identity providers like
google or Facebook.

~~~
cyphar
Absolutely not, it ties all of your information together trivially. People
should just use password managers with a unique password for each website.
Then you don't really about one site's bad security meaning that your security
on another site is ruined (with SSO that's also an issue, you just trust the
SSO provider more explicitly). You only care about whether data was accessed
or modified with a particular service.

~~~
Kiro
No, I prefer Google or Facebook.

~~~
cyphar
And if your Google or Facebook account is hacked...?

~~~
user5994461
Same as if your password manager account is hacked.

~~~
rocqua
There are non-cloud based password managers.

