Scribd hit by password-stealing breach

April 5, 2013 // 11:16 a.m.

Tags: #hashing #insecurity #password #passwords #scribd #security #sophos #vulnerability

Document storage service Scribd, which describes itself as 'the world's largest online library,' has warned its users of an attack that could have resulted in a number of passwords being disclosed to ne'er-do-wells.

Scribd provides a service whereby users can upload electronic documents for easy sharing and embedding in websites. In order to do anything more than view existing documents, users need to sign up for an account by providing a username and password - and it's estimated that around 50 million or so people have done exactly that.

A userbase that big, combined with the tendency for a worrying majority of people to use the same password across multiple services, makes Scribd an obvious target for crackers and other digital delinquents - and a group has apparently managed to make off with a small number of usernames and passwords in its most recent attack.

'Earlier this week, Scribd's Operations team discovered and blocked suspicious activity on Scribd's network that appears to have been a deliberate attempt to access the email addresses and passwords of registered Scribd users,' the company has stated in a message to customers. 'Because of the way Scribd securely stores passwords, we believe that the passwords of less than 1 per cent of our users were potentially compromised by this attack. Our investigation indicates that no content, payment and sales-related data, or other information were accessed or compromised. We believe the information accessed was limited to general user information, which includes usernames, emails, and encrypted passwords.'

A single per cent may not sound like very many users, but with a user base of 50 million registered customers that's an impressive 500,000 passwords in the hands of miscreants. While the company states that the passwords were encrypted, it provides no details on the method used - meaning it could, potentially, be relatively easy for the attackers to crack the encryption and gain access to the passwords.

'Salting and hashing passwords is supposed to be a one-way process that allows the passwords to be verified, but not decrypted to reveal the original cleartext,' explained Paul Duklin, of security giant Sophos, of the problem. 'Assuming they were hashed and salted, then, stealing the password database doesn't directly reveal anyone's password - but it does let the crooks mount an offline attack on the database, hashing a dictionary of passwords one-by-one and noticing when a guessed password is verified against the database of hashes. And since Scribd isn't saying what password security algorithm it used, you have little choice but to assume it was a hashing process that doesn't slow down determined attackers much.'

Scribd has emailed all known affected accounts to ask them to change their password, along with providing account checker for those who are concerned they may have missed the email. For security's sake, however, we'd advise all Scribd users to change their password - and if the same password was used elsewhere to change those as well. To something other than the new Scribd password, for preference.


View this in the forums