Data Breach Graphic
Image from Shutterstock.com

A Canadian-owned media company that hosts and runs hundreds of technology, automotive and sports news and discussion forums still hasn’t completely acknowledged it has been hacked, three days after it was reported that 45 million records had been taken four months ago.

In an email statement today Jerry Orban, vice-president of corporate development at VerticalScope Inc. did say it has strengthened its password policies “as a precautionary security measure,” including resetting passwords.

However, he also said VerticalScope has contacted third party vendors that provide desktop and mobile plug-ins, “notifying them of the breach to allow their own security teams to investigate.”

Orban said the company is aware of “the possible issue” of a breach and that its internal security team is still investigating.

“We believe that any potential breach is limited to user names, user IDs, email addresses, IP addresses and encrypted passwords of our community users,” he said.

Verticalscope is controlled by the Toronto Star’s parent company, TorStar Corp., which paid $200 million for the firm last summer. It says it has some 600 Web sites read across North America. Its advertiser and marketing partners include some of the biggest names in the automotive sectors including Toyota, Mercedes-Benz, BMW, Honda, Michelin and Shell.

On June 14 LeakedSource.com said its search engine had discovered the dataset for over 1,100 websites and communities in April. Some of the larger domains include Techsupportforum.com MobileCampsites.com Pbnation.com and Motorcycle.com.

LeakedSource suggested the size of the dataset captured meant VerticalScope had erred in the way it stored data, putting it either on one server or a series of connected servers. The alternative, presumably, would be separate databases. But Avner Levin, head of Ryerson University’s privacy and cyber crime institute, said the real issue is whether there proper access control. Having a single user database is OK as long as security is tight, he said.

However, Levin was critical of the notice forum members were given about the breach. For example, one forum was told “Over the next few days we will be implementing some changes to our forum password strength and password expiration policies. To make sure you continue having the best experience possible on the community, we regularly monitor the site and the Internet to keep everyone’s account information safe. We’ve recently become aware of a potential risk to some accounts coming from outside of this community. Just to be safe, we are implementing the following changes to improve security even further.”

Leven said, “I think this is very oblique. If they have indeed been breached then this is misleading and inaccurate, and should not have been sent out.”

LeakedSource also analyzed the passwords and found they were stored with various encryption methods. However, it said less than 10 per cent of the domains used what it called difficult to break encryption. Over 40 million of the records used were just MD5 with salting, “and this is insufficient.”

We reported last year that a site said it found a way to crack 11 million MD5-protected passwords in the leaked Ashley Madison dataset.

Orban said that “in response to increased Internet awareness of security-related incidents, including potential incidents on our communities, we are implementing changes to strengthen our password policies and practices across all of our communities as a precautionary security measure.”

These include enhancing password rules to require strong passwords and periodic password expiration. Acceptable passwords must now have a minimum of 10+ characters and a mixture of upper and lowercase letters, numbers and symbols. “Additionally, our administrators and moderators will have a two-step password verification, and users will be reminded to use good “password hygiene” which means not using the same password for multiple online accounts and using unique strong passwords for each.”

“While we run encrypted passwords and salted hashes to store passwords on all user accounts, our new password rules are intended to further strengthen user security. We are also taking steps to investigate and test new encryption and security technologies to allow us to further protect our users.”

The sites themselves don’t sell products so forum members don’t have to submit credit card information, and usernames and profiles can be phoney for privacy reasons. For that reason users may not have been worried about picking secure passwords. So, according to a LeakedSource analysis of passwords it could access, 150,800 members used the password ‘123456’, 83,800 used the password ‘password,’ and 42,000 used ‘123456789.’

Criminals would try to match usernames and passwords to popular sites like gmail, LinkedIn and Twitter.

VerticalScope’s advertisers include some of the biggest names in the automotive sectors including Toyota, Mercedez-Benz,