Forgot your password?
typodupeerror
Security

Scribd Reveals It Was Hacked, Asks Users To Change Their Passwords 38

Posted by samzenpus
from the protect-ya-neck dept.
An anonymous reader writes "Scribd has revealed it was hacked earlier this week, in what it says appears to have been 'a deliberate attempt to access the email addresses and passwords of registered Scribd users.' The good news is that the company believes less than 1 percent of its users were potentially compromised in the attack, and it has emailed each and every one of them asking them to reset their password. The company has set up a Web form for users to check if they are amongst those affected. We recommend that regardless of what the Web form says, and even if you don't use your Scribd account regularly, you should probably change your password."
This discussion has been archived. No new comments can be posted.

Scribd Reveals It Was Hacked, Asks Users To Change Their Passwords

Comments Filter:
  • Access passwords? (Score:1, Insightful)

    by Anonymous Coward

    Scribd itself shouldn't be able to access anyone's passwords. Then no hacker could.
    Salt and hash, people. How does anyone still not get this?

    • Re:Access passwords? (Score:5, Informative)

      by broggyr (924379) <`broggyr' `at' `gmail.com'> on Thursday April 04, 2013 @06:45PM (#43363741)
      According to TFA, they were salted and hashed.
      • According to TFA, they were salted and hashed.

        Mhhm um umh! I loves me some salted password hash browns!

    • i RTFA and it says that the passwords *were* salted and hashed. So apparently the hackers got users' email addresses and the password hash.

      Still, if your website was hacked and people found out about it, it makes sense to tell people to change their password.

      • by icebike (68054)

        Email addresses shouldn't be stored in clear text either.

        • by jcaplan (56979)
          If a site encrypts user's email addresses, they also have to store the key in order to decrypt the email addresses. Once the site has been cracked badly enough to retrieve the password hash file, the key needed to decrypt the emails would likely also be vulnerable, so encrypting user email addresses typically adds little security. The nice thing about hashing passwords is that there is no key to store or be discovered.
          • Why does the site need to be able to decrypt the e-mail address for any other reason than marketing or opt-in notifications? A salted/hashed e-mail address could be used just fine for logging in and sending password reset e-mails (in fact, I plan to do exactly that to avoid exactly this from happening).

            • by tlhIngan (30335)

              Why does the site need to be able to decrypt the e-mail address for any other reason than marketing or opt-in notifications? A salted/hashed e-mail address could be used just fine for logging in and sending password reset e-mails (in fact, I plan to do exactly that to avoid exactly this from happening).

              So how do you notify someone that you've been hacked? And what if you have two people whose emails hash to the same value? (It does happen, and while it's SUPPOSED to be unlikely, "unlikely" has a nasty chanc

  • by Anonymous Coward

    It hasn't been hacked, and it's four visitors this past year don't need to change their passwords.

  • by SuperBanana (662181) on Thursday April 04, 2013 @07:19PM (#43364093)

    Every time someone uploads a PDF to behind scribd's stupid registration-required-to-download-so-I-can-see-it-in-something-bigger-than-a-porthole wall, His Noodliness kills a kitten.

    Seriously, people. There are plenty of places you can upload ANY file to, where only YOU will have to register (and some, even, where you don't!) With Firefox now able to parse PDFs in-browser, there is little excuse for scribd to exist.

    Let's all take this breakin as a great reason to let them head off into the sunset.

    • by jeffmeden (135043) on Friday April 05, 2013 @10:19AM (#43368103) Homepage Journal

      Every time someone uploads a PDF to behind scribd's stupid registration-required-to-download-so-I-can-see-it-in-something-bigger-than-a-porthole wall, His Noodliness kills a kitten.

      Seriously, people. There are plenty of places you can upload ANY file to, where only YOU will have to register (and some, even, where you don't!) With Firefox now able to parse PDFs in-browser, there is little excuse for scribd to exist.

      Let's all take this breakin as a great reason to let them head off into the sunset.

      Wish I could mod you to 1,000. Scribd is the biggest solution looking for a problem i have seen in a long time. Have a PDF to share? Put it on a fucking web server, and let the browser download it (even the terrible adobe reader plugin managed to get search to work, but of course scribd can't figure it out). It's not there to protect copyrighted material, it's there to try to create a userbase where one shouldn't have to exist.

      I set up a junk scribd username/password a while ago to see some content. If a hacker got hold of it, they are going to get what they deserve if they use it to log in. Scribd is a pitiful premise, executed even more pitifully; have all the fun you want, hackers!

  • The slightly concerning thing is that the notice email I got was in my Spam folder. I checked the source carefully and the password reset link appeared to be legitimate. So I've used it (entering my email address only). The next email was also marked as Spam, with GMail saying that a lot of mail received from postmaster.scribd.com is spam.

    Has anyone got any thoughts on this? Has scribd done something dumb in the past? Has their mail systems been compromised too? Is there a concerted effort to fool GMa

  • Chances are this hack was not about getting into people's scribd accounts. It was about getting into their email accounts (and from there into any other site associated with that email address).

    What they should be telling people is not only to change their scribd password, but even more importantly, if you used the same password for scribd as you do you for your email account, you need to change the password on your email account immediately.

    • by Kozz (7764)

      ... if you used the same password for scribd as you do you for your email account, you need to change the password on your email account immediately.

      If you use the same password for scribd and your email account AND you're reading this comment, you're probably lost.

      Here, friend. Maybe you'd feel more comfortable here [funnycatpix.com], or maybe here [facebook.com] or even here [aarp.org]. (after changing your passwords, of course)

  • by fuzzyfuzzyfungus (1223518) on Thursday April 04, 2013 @09:03PM (#43364859) Journal

    Why does this 'Scribd' bullshit even exist?

    A revolutionary technique exists for putting 'pdf' documents on an 'http' server, that doesn't involve flash, registration, or any other bullshit. What, exactly, is the redeeming value here?

Genius is ten percent inspiration and fifty percent capital gains.

Working...