Russian hackers breach CNET, steal one million usernames, passwords and email addresses

The Russian hacker group that goes by w0rm recently breached CNET and pilfered a database containing usernames, emails, and encrypted passwords for more than a million registered users.

On Saturday, @rev_priv8 tweeted “proof” of the hack.

https//w0rm.in/cnet.com.tar.gz cnet hacked, here is src of www. pic.twitter.com/ggkaNF3VfE

— w0rm (@rev_priv8) July 12, 2014

rev_priv8 for w0rm

Janne Ahlberg, a product security professional and pentester who works at Microsoft, pointed out that the leaked source code package contained an offer to sell the CNET database for one bitcoin, which equaled $624.04 at the time of writing this post. CNET later said the group will not “distribute” its source code.

A spokeswoman for CBS Interactive, which includes CNET, admitted that “a few servers were accessed. We identified the issue and resolved it a few days ago. We will continue to monitor.” When prodded for additional details, a spokesperson told SCMagazine, “We want to avoid sharing any information publicly that could motivate or invite any other issues. It’s shut down, it’s done and dusted, and there’s been no impact.”

The hackers broke in by exploiting “a security hole [in] CNET’s implementation of the Symfony PHP framework.” The group said it targets insecure high-profile sites to raise security awareness. The group hacked BBC via FTP in 2013, as well as Adobe and Bank of America websites, allegedly for the same reason.

“[W]e are driven to make the Internet a better and safer [place] rather than a desire to protect copyright,” w0rm told CNET. “I want to note that the experts responsible for bezopastnost [security] in cnet very good work but not without flaws.”

TK Keanini, CTO of Lancope, told CIO that it is important to quickly learn the method and technique the hacking group used to compromise CNET due to the commonality of the infrastructure with other major websites.

“Symfony is not only a popular framework used by many small and big corporations, but it is also the best platform to build Open-Source projects.” According to projects using Symfony, it used by Drupal, phpBB, and Piwik, to name a few.

Yesterday, @rev_priv8 tweeted to CNET, “I have good protection system for u, ping me.”

Although CNET did not advise registered users to change their password on the site, it might be wise. The passwords were encrypted, yet there is no additional information as to how they were protected or if they were salted and hashed.

CNET said its registered users “might not be at risk,” before quoting White Hat Security’s Robert Hansen. “It definitely can feel like a slap in the face to an organization to be hacked,” Hansen said, “but in reality, most of the time in circumstances like this it’s actually a good thing. W0rm was careful not to give the full path to the actual exploit, and informed the general public that the compromise occurred.”

“I guess we should feel grateful that the hackers don’t appear to be interested in exploiting the stolen information (and don’t appear to be serious about selling it onto others),” Graham Cluley told SCMagazineUK.com. “But I am disappointed that CNET hasn’t (so far at least) informed registered users of the security breach. Even if the passwords aren’t cracked, there is other personal information in there which could potentially be exploited by cyber criminals.”

The potential for cybercrooks to get hold of a million users’ information “is why CNET should do the decent thing and reach out to affected users – warning them of the possibility of malicious emails and communications using some of the information that has been exposed,” Cluley added.