CISOs will be alarmed to hear that the CNET technology news website – which is aimed at security and other IT professionals - has been hacked by a Russian group which claims to have stolen more than one million user credentials and encrypted passwords.
CNET has been criticised by industry watchers for largely leaving its readers in the dark over the breach. Bizarrely, details on the attack have emerged through a news report on the CNET site, rather than any official warning or advice to users.
The 14 July CNET story details how Russian hacker group 'W0rm' says it infiltrated the site's servers and stole a database of more than a million user names, emails and encrypted passwords. They got into the servers through a security hole in the site's implementation of the Symfony PHP framework, which developers use to build websites.
The hackers reportedly informed CNET of the attack via Twitter, and W0rm's own Twitter feed displays a screenshot of the compromised CNET server.
W0rm has subsequently offered the data for sale for 1 bitcoin or roughly £360. But the hackers insist their motives are not criminal, simply to highlight security weaknesses on popular websites.
The CNET news story explains: “The W0rm representative, a non-native English speaker, said the group had no plans to decrypt the passwords or to complete the sale of the database.
“W0rm claims that its goals are altruistic, and that it hacked CNET servers to improve the overall security of the web. By targeting high-profile sites, the group says it can raise awareness about security flaws.”
According to ComScore, CNET was visited by more than 27 million people last month, and in the past W0rm has hacked the BBC, Adobe Systems and Bank of America sites.
But a UK spokesperson for CNET owner CBS Interactive declined to comment on any of this, telling SCMagazineUK.com: “A few servers were accessed. We identified the issue and resolved it a few days ago and we continue to monitor and are investigating for any potential impact.”
In light of this level of response, the news report provoked a number of critical reader comments, including: “I like how the article posted by CNET is at the very VERY BOTTOM of the page to draw less attention and users were not sent an email from CNET privately about the attack.”
This concern was shared by leading UK security industry analyst and blogger Graham Cluley, who told SCMagazineUK.com: “I guess we should feel grateful that the hackers don't appear to be interested in exploiting the stolen information (and don't appear to be serious about selling it onto others).
“But I am disappointed that CNET hasn't (so far at least) informed registered users of the security breach. Even if the passwords aren't cracked, there is other personal information in there which could potentially be exploited by cyber criminals.”
Fran Howarth, a senior security analyst at Bloor Research, believes CNET may have been targeted precisely because it is read by security professionals – and that is the best way for W0rm to get its message across.
She told SCMagazineUK.com via email: “The hacker claims to have attacked the website to highlight the need for better internet security. Its target this time was a popular technology news site, aimed largely at security professionals, in order to hone its message to an audience likely to be interested.”
She added: “Reputational damage to CNET is likely. All organisations with valuable internet real estate should look to employ not just security controls such as encryption, but should ensure that all systems containing sensitive information are monitored on a continuous basis in real time so that problems can be fixed as quickly as possible.”
Leading industry watcher, Alan Woodward, a visiting professor at Surrey University and Europol adviser, felt the 1 bitcoin price demanded by the hackers “does suggest they may be doing it to raise awareness that valuable personal details are being exposed by even the biggest names in the online world”.
He told SC via email: “When the dust settles on these types of incident you find in the majority of cases that it was social engineering of some sort that was the root cause. I suspect the same may be true here. Whatever the truth, it does highlight that companies need, perhaps, to change their approach to how they secure our personal details as the number of major breaches is now an embarrassment.”
The CBS Interactive spokesperson told SC: “We want to avoid sharing any information publicly that could motivate or invite any other issues. It's shut down, it's done and dusted, and there's been no impact.”
In a separate commentary on the case, Cluley advises CNET registered users to change their password as a “sensible precautionary measure”. He adds: “CNET should do the decent thing and reach out to affected users – warning them of the possibility of malicious emails and communications using some of the information that has been exposed. It seems to me that that would be the responsible thing to do.”