Scribd Reveals It Was Hacked, Asks Users To Change Their Passwords

An anonymous reader writes "Scribd has revealed it was hacked earlier this week, in what it says appears to have been 'a deliberate attempt to access the email addresses and passwords of registered Scribd users.' The good news is that the company believes less than 1 percent of its users were potentially compromised in the attack, and it has emailed each and every one of them asking them to reset their password. The company has set up a Web form for users to check if they are amongst those affected. We recommend that regardless of what the Web form says, and even if you don't use your Scribd account regularly, you should probably change your password."

Access passwords?

[Anonymous Coward]

Scribd itself shouldn't be able to access anyone's passwords. Then no hacker could.
Salt and hash, people. How does anyone still not get this?

Re:Access passwords?

[broggyr]

According to TFA, they were salted and hashed.

Re:

[Anonymous Coward]

In which case you shouldn't change your scribd passwords till you're sure that Scribd isn't still vulnerable to the hackers. Otherwise it could just be a waste of your time.

This assumes you've picked decent passwords and don't reuse the passwords.

If you reuse passwords, priority should be changing them everywhere else, not scribd.

Re:

[Jah-Wren Ryel]

According to TFA, they were salted and hashed.

Mhhm um umh! I loves me some salted password hash browns!

Re:

[Spy Handler]

i RTFA and it says that the passwords *were* salted and hashed. So apparently the hackers got users' email addresses and the password hash.

Still, if your website was hacked and people found out about it, it makes sense to tell people to change their password.

Re:

[icebike]

Email addresses shouldn't be stored in clear text either.

Re:

[jcaplan]

If a site encrypts user's email addresses, they also have to store the key in order to decrypt the email addresses. Once the site has been cracked badly enough to retrieve the password hash file, the key needed to decrypt the emails would likely also be vulnerable, so encrypting user email addresses typically adds little security. The nice thing about hashing passwords is that there is no key to store or be discovered.

Re:

[preaction]

Why does the site need to be able to decrypt the e-mail address for any other reason than marketing or opt-in notifications? A salted/hashed e-mail address could be used just fine for logging in and sending password reset e-mails (in fact, I plan to do exactly that to avoid exactly this from happening).

Re:

[wonkey_monkey]

If password recovery is the only instance where email is sent to users, this should work.

And what about when the database gets hacked and the admins need to send email to the affected users asking them to change their passwords?

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[RabidReindeer]

If password recovery is the only instance where email is sent to users, this should work. Login checks for matching email hash and password hash, recovery email is sent to any address with matching email hash. Of course for recovery you still need to send the email address to the server in plaintext, and it will be hard to delete all traces of it on the server.

You really don't want to do that. Unless you have a perfect hash, you have the risk of hash collisions, i. e., false matches. Hash on password is relatively safe. Hash on user identity is not. You could end up sending information to the wrong person. The odds are against it, but Murphy sneers at odds.

Re:

[tlhIngan]

Why does the site need to be able to decrypt the e-mail address for any other reason than marketing or opt-in notifications? A salted/hashed e-mail address could be used just fine for logging in and sending password reset e-mails (in fact, I plan to do exactly that to avoid exactly this from happening).

So how do you notify someone that you've been hacked? And what if you have two people whose emails hash to the same value? (It does happen, and while it's SUPPOSED to be unlikely, "unlikely" has a nasty chanc

Bob's Geocities Page announces

[Anonymous Coward]

It hasn't been hacked, and it's four visitors this past year don't need to change their passwords.

Won't someone please think of the kittens?

[SuperBanana]

Every time someone uploads a PDF to behind scribd's stupid registration-required-to-download-so-I-can-see-it-in-something-bigger-than-a-porthole wall, His Noodliness kills a kitten.

Seriously, people. There are plenty of places you can upload ANY file to, where only YOU will have to register (and some, even, where you don't!) With Firefox now able to parse PDFs in-browser, there is little excuse for scribd to exist.

Let's all take this breakin as a great reason to let them head off into the sunset.

Re:Won't someone please think of the kittens?

[jeffmeden]

Every time someone uploads a PDF to behind scribd's stupid registration-required-to-download-so-I-can-see-it-in-something-bigger-than-a-porthole wall, His Noodliness kills a kitten.

Seriously, people. There are plenty of places you can upload ANY file to, where only YOU will have to register (and some, even, where you don't!) With Firefox now able to parse PDFs in-browser, there is little excuse for scribd to exist.

Let's all take this breakin as a great reason to let them head off into the sunset.

Wish I could mod you to 1,000. Scribd is the biggest solution looking for a problem i have seen in a long time. Have a PDF to share? Put it on a fucking web server, and let the browser download it (even the terrible adobe reader plugin managed to get search to work, but of course scribd can't figure it out). It's not there to protect copyrighted material, it's there to try to create a userbase where one shouldn't have to exist.

I set up a junk scribd username/password a while ago to see some content. If a hacker got hold of it, they are going to get what they deserve if they use it to log in. Scribd is a pitiful premise, executed even more pitifully; have all the fun you want, hackers!

Gmail calls it spam

[Nedmud]

The slightly concerning thing is that the notice email I got was in my Spam folder. I checked the source carefully and the password reset link appeared to be legitimate. So I've used it (entering my email address only). The next email was also marked as Spam, with GMail saying that a lot of mail received from postmaster.scribd.com is spam.

Has anyone got any thoughts on this? Has scribd done something dumb in the past? Has their mail systems been compromised too? Is there a concerted effort to fool GMa

Don't Just Change your Scribd Password

[Jah-Wren Ryel]

Chances are this hack was not about getting into people's scribd accounts. It was about getting into their email accounts (and from there into any other site associated with that email address).

What they should be telling people is not only to change their scribd password, but even more importantly, if you used the same password for scribd as you do you for your email account, you need to change the password on your email account immediately.

Re:

[Kozz]

... if you used the same password for scribd as you do you for your email account, you need to change the password on your email account immediately.

If you use the same password for scribd and your email account AND you're reading this comment, you're probably lost.

Here, friend. Maybe you'd feel more comfortable here [funnycatpix.com], or maybe here [facebook.com] or even here [aarp.org]. (after changing your passwords, of course)

WTF...

[fuzzyfuzzyfungus]

Why does this 'Scribd' bullshit even exist?

A revolutionary technique exists for putting 'pdf' documents on an 'http' server, that doesn't involve flash, registration, or any other bullshit. What, exactly, is the redeeming value here?

Re:

[jma05]

Also, Scribd loads pages just around the page you are reading. Useful on slower, metered connections for large PDFs. Registration requirement is still annoying of course.