Password breach on this site

  • I received a phishing email today – a fairly common phish, but in this case it had my correct password for www.ads-software.com. I use unique passwords and email addresses for every site I register on, and this email was sent to the unique address I have for my www.ads-software.com login.

    In other words, there has clearly been a data breach on www.ads-software.com that has leaked its login addresses and passwords in cleartext.

    • This topic was modified 2 years, 1 month ago by Jan Dembowski. Reason: Moved to Fixing WordPress, this is not a Requests and Feedback topic
Viewing 2 replies - 1 through 2 (of 2 total)

  • While that is possible, I’m not so sure that that’s happened.

    WordPress stored users passwords as hashed strings which can’t be converted back to pain text. That’s the same functionality that’s on this site. To me, that says that someone having your password in plain-text means that they got it from some other means.

    The most common occurance of this is malware or spyware on your PC. After that I’d think more along the lines of bad web sites monitoring logins or getting inside your browsers password store. It could also be some key-logger installed somewhere.

    I’m not saying that any of those has happened to you, but it’s more likely that it has then that the plan-text passwords from a WordPress site have been un-hashed from what’s stored.

    Thread Starter VA1DER

    (@va1der)

    WordPress stored users passwords as

    Yes, I’m aware of how modern systems store passwords. I’m also aware that many systems use insecure hashes, and even if secure, the whole system of entering passwords on the web site is vulnerable to attack. It doesn’t matter how they are stored if they are intercepted at the UI stage.

    The most common occurance of this is malware or spyware on your PC.

    While possible, of course, I don’t assess it as likely. Before I received the email with my www.ads-software.com login information, I myself hadn’t logged into www.ads-software.com for at least two years. If my computer and/or password manager had been breached, there are far juicer things than my www.ads-software.com login to steal that I use daily, and I’m pretty sure there would be evidence of the breach by now. As in a drained bank account.

    There has been a breach of some sort here. I suspect it’s known by someone, because when I logged in to post about this, I was notified I had to change my password.

    While I appreciate that at least one step was taken to remedy this, it’s irresponsible to have a password breach and not announce it.

    BTW, @jdembowski, with respect to moving this topic, this topic s not about “fixing wordpress” the CMS, so please move this back to where it was. It very much belongs in requests and feedback, since it is about www.ads-software.com itself and not the CMS.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Password breach on this site’ is closed to new replies.

Tags