The extremely popular broadband Internet service review site, DSLReports.com, is advising of a data breach and theft of user credentials and e-mail addresses. Forum members received an e-mail advising them of an attack that occurred on Wednesday during the hours of 2:00 PM and 6:00 PM, wherein “a large botnet” of compromised machines performed an SQL injection attack and retrieved random membership details from a large number of accounts stored in their database which held accounts as old as 10 years.
There is an ongoing discussion in the forums where Justin Beech, founder of DSL Reports, advises that although compromised accounts have had their passwords reset, the attackers may be using the stolen credentials to gain access to other services such as PayPal or Amazon as many users frequently set the same password for online logins. While warning e-mails were sent out to users roughly 6 hours after the attack started, Justin advises that measures were taken to stop the breach before attackers reached 8% of their goal.
Many posters are outraged by the lax security involving the storage of plain-text passwords and lack of mechanisms to mitigate against widely known attacks, like SQL injection on live web applications. Other posters are commending Justin on his open style of reporting the breach and talking one-on-one with members in an effort to show his dedication to resolving the issue.
All users with accounts of DSLReports.com should be changing their passwords for the forums as well as any others that may be tied to their membership e-mail address.