14 DAY TRIAL // Toshiba has confirmed that one of its US websites was compromised last week which led to the loss of user account information.
A spokesperson for the consumer electronics giant told the Wall Street Journal that its U.S. unit observed some issues with its web server on July 11 and began investigating.
On July 13 the company confirmed that the server was compromised and user data was stolen. This coincided with a hacker leaking data extracted from the website on pastebin.
According to the company, the hacked website housed personal information of over 7,500 customers, but only data belonging to 681 of them was compromised.
This is somewhat consistent with what the hacker claimed. He said that one database table called "Tbl_Gb_Users" had 5,203 entries and he eventually leaked around 800 of them.
The Toshiba spokesperson stressed that no financial information or credit card details have been exposed as a result of this security breach. Nevertheless, it's concerning that the company stores user passwords in plain text, a major security oversight for any respectable website.
We performed a password reset on the Toshiba US help and support website where we registered an account. After receiving the temporary password, we logged in and went straight for the password change option to set our permanent access code.
A few second after this operation we received a password changed notification email which contained our new password in plain text. This is insecure for more than one reason.
First, it tells us that the password is stored in plain text in Toshiba's database, otherwise the company couldn't have sent it back to us. Second, most users don't delete such email messages and if their account is later hacked, the attacker can read the password.