Ninjastic
PostEdited versionsQuotes to this post
Post
Topic
Board Bitcoin Discussion
Re: Is this a security issue? Massive worker un & pw list found through google ...
by
iamzill
on 23/09/2011, 01:24:07 UTC
Quote from: RandyFolds on September 23, 2011, 12:57:37 AM
Quote from: iamzill on September 23, 2011, 12:49:39 AM
Quote from: joeyjoe on September 22, 2011, 07:19:25 PM
Quote from: NoFeeMining on September 22, 2011, 07:13:33 PM
Quote from: joeyjoe on September 22, 2011, 07:09:29 PM
Quote from: NoFeeMining on September 22, 2011, 07:08:10 PM
That was part of our old database.

I have no idea why that information was there and I plan on figuring out which idiot from my team did that.

I am in the process of emailing all the affected users to let them know.

Very bad security practice to leave the accounts passwords unencrypted, i hope your not the coder for that site!

Would advise all users to get their miners away from there ASAP

A. We had to keep the WORKER passwords unencrypted so that users could see them and edit them more easily.

B. This is our OLD database on the OLD site. We have since completely rewritten the site's code and it doesn't even use mysql anymore.

C. This happened because one of the guys on the team was doing some debugging and like an idiot did not secure his testing site.

Even so, why have them saved as plain text at all? you can still encyrpt with base64 and a salt code that is kept hidden
They probably thought worker passwords wasn't "important" enough.


They aren't "important", they are a mere formality.
And yet several people already had their email account compromised.

The lesson here is that every password the user types is important, because when you have a million users there is at least one dumb-ass who use his PIN number as his password everywhere.