Holy Data Breach, Batman! Hackers Hit Comixology

[Guest]

Not even superheroes are safe from data breaches: a data breach at digital comic vendor Comixology leaves passwords potentially exposed.

Holy Data Breach, Batman! Hackers Hit Comixology : Read more

 

[Christopher Shaffer]

If I was going to hack Comixology, I wouldn't steal user info. I'd steal comics. Maybe set myself up with a life-time sub to everything from Vertigo and all the Wolverine titles.These hackers need to get their priorities straight.

 

[bustapr]

thats not how it works. these hackers usually work with DDoS attacks to breach security and during the attack they steal small packets of information such as passwords and names. all this is no more than a few minutes. stealing large files such as comics is a whole different thing that isnt possible in this method. and setting up a lifetime sub is a thing of movies.

 

[rajangel]

So long as the encryption was "decent." What a riot, that Comixology doesn't even know what encryption was used in their system. Way to inspire trust in your users, guys.

 

[Gillerer]

What a riot, that Comixology doesn't even know what encryption was used in their system.

There are reasons why businesses don't just share their security protocols in public.

 

[koga73]

They should have just said the encryption is decent. And hackers did not break in using DDoS. That is only used to bring down a site by flooding it with traffic. Most likely the hacker got in with stolen creds or sql injection. Once in they can export the db (though the passwords should be hashed (one way) not encrypted (two way)). And it may be possible for a hacker to give themselves a "lifetime subscription". All they would have to do is find in the db where subscriptions are handled and add or modify a row.

 

[ddpruitt]

What a riot, that Comixology doesn't even know what encryption was used in their system.

There are reasons why businesses don't just share their security protocols in public.

Yea because they know they're crap. Security by obscurity has never worked. Between a website that let's everyone know that use a strong encryption algorithm versus a website that hides the fact that they use MD5, the website that uses MD5 always loses.

 

[f-14]

Comic Book Guy Jeffrey Albertson did it. would be a great thing to plug in a later simpson's episode.

 

[jimmysmitty]

So long as they used something strong like AES 256 they wont get it. Most smart companies use at least that.

 

[Heironious]

Oh...my...gawd. All 12 users have had their passwords stolen!!

 

[c123456]

@ddpruitt: You really think they used MD5? It's been well known not to use it, SHA-1, etc for quite a while now on online passwords. Using either bcrypt or AES, and they're golden. bcrypt has some very good implementations in basically every server side language for this purpose even.

 

[Christopher Shaffer]

@bustapr Wow, if ever there was a complete lack of understanding of sarcasm, there it is.My post is what is sometimes referred to as a joke, using a form of blatant sarcasm to suggest an improbable idea.That said, I'm an EE and I work in software development, so I'm very clear on the methods and what hackers employ and have access to, but thanks.