14 DAY TRIAL // The website of the highly popular Practical Fishkeeping aquarium magazine was hacked over a week ago, prompting its administrators to alert the almost 24,000 members that their personal information might have been stolen. The website is still down at the time of writing this article.
Practical Fishkeeping is a best-selling UK aquarium magazine currently published by Bauer Media Group, which dates back to 1966. Its website, practicalphishing.co.uk, is highly frequented and has a traffic ranking of 79,958 according to Alexa.
On December 4, the magazine's Editor-in-Chief, Matt Clarke, sent an e-mail to the website's almost 24,000 registered members alerting them of a serious security breach. "We have been made aware that hackers have breached our website security. This is a criminal offence, and information on our register about our readers (usernames, passwords, email addresses, postal addresses and in some cases telephone numbers) may have been viewed or taken," it read.
Trying to access the website displayed a message informing visitors that "Practical Fishkeeping is currently offline for maintenance and should be back up and running shortly." However, the website was still not restored to its previous state even more than one week later, suggesting that it’s undergoing a serious security audit.
And this would be warranted since the e-mail notification hinted to the fact that passwords were stored in unencrypted form. It even advised users that "If you used your password for practicalfishkeeping.co.uk for other websites, you should change those passwords."
Storing passwords in plain text is a major security oversight, but despite this, many important websites were exposed for doing this in the past. Some recent examples are a Symantec online store for Japan and South Korea or the PerlMonks community forum.
At the same time, employing weak encryption algorithms, such as MD5 without salting, for password security is just as bad. It might take more time for an attacker to obtain the passwords from such hashes, but in essence, they are trivial to break, as outlined in the recent proof-of-concept attack on Kaspersky Malaysia.
"This attack is highly reminiscent of the recent hack of the Richard Dawkins forum and is very much a trend I expect to see increasing over the coming months and years. Gaining access to the database of a popular website offers potential high returns for relatively little effort. If this phenomenon is in need of a new name, I offer up the term Phlatphishing," Rik Ferguson, solutions architect at Trend Micro, commented.
