As I reported on Sunday, Fisher Hargreaves Proctor recently suffered a serious security breach on their website. At time of original writing, details were limited to those disclosed in the original e-mail sent by FHP, especially as no-one else seems to have reported on the issue.
I e-mailed both FHP and their site maintainer – Reach Marketing – for more information on the issue, and they’ve been reasonably forthcoming. Below are the questions I asked and the responses from Reach Marketing.
Why were the passwords stored in plaintext?
Unfortunately the site was coded with plain text passwords. This site was an older site and is currently undergoing some upgrades and this area of the site would have been encrypted. We have brought this change forward immediately.
How was the site compromised?
The site was a victim to an SQL Injection
Where were the credentials posted?
They were placed on a company’s website which had been hacked and the file placed in a folder that the company were not aware of.
How many credentials were compromised?
It was a proportion of the users of the site.
What steps are you taking to avoid a repetition?
We are putting in place two steps. The passwords will now be protected with multi layer encryption. Additionally we will be updating the coding of the site to close any vulnerabilities in the URL structure. We think the “cat_ID” part of the URL was targeted.
Were any of your other customers affected?
We are not aware of this
When did the breach actually take place?
There is a date on the hacked file of 15th April 2010 however we don’t know if this is the date the file was hacked or a date that the hacker has put on it to confuse. We don’t know when the file was placed on the company’s website (as they were not aware of it themselves). We were made aware of the file on 25/11 and had it removed the same day. We let all FHP users now(sic) about the issue on 26/11.
Although my initial reaction to the original notification was annoyance and frustration, both Fisher Hargreaves Proctor and Reach Marketing appear to have been handling the situation very well. Although storing passwords in plain text is always a bad idea, it was far more acceptable in the past.
If Reach Marketing is to be believed, this had been identified as a risk prior to the incident, and their systems were compromised before they had chance to rectify the situation. These things do happen, unfortunately.
It seems plausible that the credentials were compromised as early as April this year. As RM commented, it’s possible that the attacker used touch to change the timestamp of the file. Although this may seem like a waste of effort, it would make it far more difficult to locate the unauthorised upload in their log files unless it was noticed almost immediately.
Admittedly, the answer to question 4 isn’t really an answer, but I wasn’t really expecting an exact figure!
I also asked whether they had a record of my old (compromised) password so that I could retire it if I had used it elsewhere. They did, but had the good sense not to e-mail it to me without verifying that I was happy for it to be e-mailed. Bonus points for the application of common sense in this area!
As I mentioned, both companies appear to be handling the incident well. They contacted all users at the first available opportunity to warn of the breach, and immediately reset all passwords (generating a random string for each rather than a generic default).
It’s unfortunate that they hadn’t completed the planned upgrades before the compromise occurred, but whilst one could suggest that this should have been prioritised, in the world of business these things do happen.
The data held on the site includes;
Interested in (property types)
Address (inc Postcode)
It’s unclear how much data was actually compromised, but it’s fair to state that the above could be considered personal information. These details don’t seem to have been posted, and any competent developer would house login credentials in a separate table to ‘profile’ details.
As frustrating as the breach may be, little harm seems to have been done in this case. If RM’s words are to be believed, lessons have been learnt and the site will be upgraded to prevent a re-occurrence.
On the other hand, if you are a FHP user and you’ve shared the compromised password between multiple services, you may have your work cut out for you trying to retire the password!
Practice what you preach
I’ve written a good many articles and papers advising on good password security, unfortunately I’ve not always adhered to my own advice. Some time ago, my Gmail account was compromised and one of the possible causes was that the password had been stolen from another site.
The password in use was one that I consider ‘low security’, in that it doesn’t protect any accounts that could be used to cause harm (or at least not individually). If FHP’s breach did occur in April, it’s quite possible that the two are related (especially as the username for FHP was this e-mail address). It’s entirely self inflicted as I should know better than to share passwords between systems, but it does serve to highlight the risks of such practices.
I've been lucky in that it was only my GMail account that was compromised, but I've still had to do a thorough audit of where that password was used.