The hacker known as JokerCracker has breached the websites of Baby Care Advice (babycareadvice.com) and the customer support site of Proximus Security, a video surveillance solutions provider.
According to CWN, from the site of Baby Care Advice, the hacker has leaked the details of around 900 customers, including usernames, email addresses and clear-text passwords.
From the site of Proximus Security, 20,000 similar records have been leaked.
While in the case of Baby Care Advice, most of the passwords are dictionary words, names and numbers, several Proximus Security customers have selected strong passwords, comprising both lower and uppercase letters and symbols.
However, a strong password is not efficient if it’s stored in plain text in an unprotected database.
So what to do when a certain website doesn’t employ best security practices and stores passwords in plain text? According to experts, users should ditch their services altogether.
“Web site users, be vigilant. If you think a site is not treating your PII with the respect it deserves, even for so-called casual or throwaway logins, then consider working, shopping or playing somewhere else,” Paul Ducklin of Sophos advises.
Some sites inform users about the security mechanisms set in place to protect their details, but others don’t. Ducklin provides an important tip on how to determine whether a site is storing your details securely.
The easiest way to find out if your password is stored in plain text or not is to reset your password. If you receive a password reset link, it’s likely that the company is encrypting the sensitive data.
However, if the email you receive contains the password in clear text, the website is storing your credentials in clear text.
As Ducklin highlights, Baby Care Advice hasn’t done much to make sure its customers’ details are protected. It is not even using HTTPS for login, or HTTP challenge-response password verification.