Holy Data Breach, Batman! Hackers Hit Comixology

Status
Not open for further replies.
Sep 22, 2013
11
0
10,560
If I was going to hack Comixology, I wouldn't steal user info. I'd steal comics. Maybe set myself up with a life-time sub to everything from Vertigo and all the Wolverine titles.These hackers need to get their priorities straight.
 

bustapr

Distinguished
Jan 23, 2009
550
0
18,930
thats not how it works. these hackers usually work with DDoS attacks to breach security and during the attack they steal small packets of information such as passwords and names. all this is no more than a few minutes. stealing large files such as comics is a whole different thing that isnt possible in this method. and setting up a lifetime sub is a thing of movies.
 

rajangel

Distinguished
Aug 15, 2009
37
0
18,580
So long as the encryption was "decent." What a riot, that Comixology doesn't even know what encryption was used in their system. Way to inspire trust in your users, guys.
 

Gillerer

Honorable
Sep 23, 2013
5
0
10,520
What a riot, that Comixology doesn't even know what encryption was used in their system.
There are reasons why businesses don't just share their security protocols in public.
 

koga73

Distinguished
Jan 23, 2008
183
0
18,630
They should have just said the encryption is decent. And hackers did not break in using DDoS. That is only used to bring down a site by flooding it with traffic. Most likely the hacker got in with stolen creds or sql injection. Once in they can export the db (though the passwords should be hashed (one way) not encrypted (two way)). And it may be possible for a hacker to give themselves a "lifetime subscription". All they would have to do is find in the db where subscriptions are handled and add or modify a row.
 

ddpruitt

Honorable
Jun 4, 2012
226
0
10,860
What a riot, that Comixology doesn't even know what encryption was used in their system.
There are reasons why businesses don't just share their security protocols in public.
Yea because they know they're crap. Security by obscurity has never worked. Between a website that let's everyone know that use a strong encryption algorithm versus a website that hides the fact that they use MD5, the website that uses MD5 always loses.
 

c123456

Honorable
Feb 3, 2014
6
0
10,510
@ddpruitt: You really think they used MD5? It's been well known not to use it, SHA-1, etc for quite a while now on online passwords. Using either bcrypt or AES, and they're golden. bcrypt has some very good implementations in basically every server side language for this purpose even.
 
Sep 22, 2013
11
0
10,560
@bustapr Wow, if ever there was a complete lack of understanding of sarcasm, there it is.My post is what is sometimes referred to as a joke, using a form of blatant sarcasm to suggest an improbable idea.That said, I'm an EE and I work in software development, so I'm very clear on the methods and what hackers employ and have access to, but thanks.
 
Status
Not open for further replies.