PDA

View Full Version : Elance.com Security Breach



KarenB
07-18-2009, 04:41 PM
Hello all,

This may or not apply to your business, but if you are a freelancer who uses Elance.com from time to time and you have some personal information stored with them, you should be aware that it has been reported that their website has recently been hacked.

Here's the Washington Post article dated July 16, 2009:

washingtonpost.com (http://www.washingtonpost.com/wp-dyn/content/article/2009/07/17/AR2009071700066.html)

Karen

KarenB
07-18-2009, 05:14 PM
Just as an addendum, I just tried to log in to Elance and was immediately told that I had to change my password AND answer two security questions - not one, but two. Wow! I guess Elance is taking this security breach pretty seriously, huh?

I originally understood that the hackers had received access to the names, email addresses, physical addresses and phone numbers of their members, and that this information had eventually turned up on another website, but also that the the hackers had NOT received access to their passwords and credit card information. Elance said that their hacked records only contained "protected versions of user passwords, in an unreadable format called a one-way hash."

Well, if the hackers could break through Elance's tight security system in the first place, what's to stop them from also decoding the passwords in their 'one-way hash'?

I'm really not getting a warm and fuzzy feeling from all of this.

Karen

vangogh
07-18-2009, 05:39 PM
Thanks for the info Karen. I don't have an account there myself, but I imagine a few people here might.

At least they're taking the security seriously. With the hash function what they used for encryption will determine how secure it is. In general a hash is pretty secure, but one of the methods that was commonly used for the encryption (MD5) has been broken. I'm not sure how easy it is, but it can be done.

This is actually an issue we might discuss in another thread. Many people are moving their data into the cloud, but how secure the company storing your data is becomes one consideration. For example last week Twitter was hacked and someone stole some sensitive information. The hack wasn't through Twitter though, but rather one employees Gmail account was hacked and Twitter used Google Docs to communicate, which the hacker could access with the hacked gmail account.

rezzy
07-20-2009, 05:17 PM
I think the larger issue here is having first secure passwords. Alot of cases where information is stolen has to do with someone having a weak password which can be brute forced. Secondly, for people who create applications, security is a huge concern. when ever information is taken from a user it must be filtered. -This is a must-

Accepting unfiltered input from a user is terrible and can result in any number of problems. My opinion is not the fault of the hosting company, its more so, the developer of the software.

I want to admit something. For a few small projects I worked on, I never hashed passwords. I simply stored them plain text. This is a huge no-no. As a result, I contacted all my clients and updated their code free of charge. Although these were small projects, stopping hackers, and other evil doers is a top priority for me and hopefully other programmers.

That being said, it is unlikley Google made a mistake which would allow any number of attacks to complete. This was most likely a problem with a user using a super easy to remember password.

Elance on the other hand, I have no idea. I cant vouch for their security practices.