Girls’ fashion hangout site leaking millions of plaintext passwords

A flood of plaintext passwords has been, and as of Monday afternoon was still, gushing out from a hangout site for teenage girls.

As Ars Technica reports, the operators of i-Dressup hadn’t responded to editor Dan Goodin’s attempts to inform them that a cyberintruder has already downloaded more than 2.2 million of the improperly stored account credentials.

According to Goodin, the hacker said it took him about three weeks to obtain the data.

There’s plenty more beyond that 2.2 million set of credentials: there’s reportedly nothing standing between other intruders and the entire database of slightly more than 5.5 million entries.

Whoever Ars spoke with said that he’d gotten access to the i-Dressup site by using a SQL injection attack that exploited the site’s vulnerabilities.

To have a site storing passwords in plaintext is like putting on your polyester bellbottoms and hopping in the way-back machine.

As Naked Security’s Paul Ducklin explains:

Plaintext passwords were already passé back in 1976. But here we are, 40 years later, making the same mistakes – we really need to learn our computer security lessons faster than that!

i-Dressup certainly isn’t alone with this misstep, of course.

Last month, the pay-to-click ad service ClixSense sprung a leak, bleeding out 6.6 million plaintext passwords.

A few weeks ago, nearly 100 MILLION plaintext passwords were gouged out of the Russian site Rambler, a popular web portal and free email service.

Troy Hunt, who maintains the data breach awareness portal Have I Been Pwned, likewise hasn’t been able to get a response from i-Dressup.

Those are all plain text passwords and we couldn’t get a response from the site owner. Write-up by @dangoodin001: https://t.co/4Ei6goLZ2y https://t.co/uZ1WZzF8Hr

— Troy Hunt (@troyhunt) September 26, 2016

There’s no word about the breach from the company on its Facebook page besides a commenter posting a link to the Ars article.

I reached out to the company on Messenger and will update this post if somebody gets back to me.

Unfortunately, that’s looking unlikely: Ars has been waiting 6 days for a response. So not only is i-Dressup running an insecure site for teen girls – in spite of assurances to the contrary – but it’s unresponsive to communications about the consequences.

In the meantime, if you use i-Dressup or have young friends or family who do, get them to change their password immediately.

Better yet, perhaps follow Goodin’s advice and consider closing those accounts entirely.

Keep an eye out for scam emails that could exploit the contact information, and if you or anybody you know has used the same password on other sites (a very dangerous thing to do), change those credentials immediately. See below for why that’s so important.

What to do

• Don’t use the same passwords on two different sites. Even if you choose a super-strong password, it only takes one careless site to leak that password in directly usable form.
• Don’t store passwords in plaintext. This is poor security practice, and it’s been both unnecessary and unacceptable for years.
• Don’t retire a server but leave it active on your production network. That’s like replacing all the locks on your house, except for the lock on your back door that you already know is broken.
• Don’t make unsupported claims once you get around to issuing a breach notification. If you want to convince your users that you are now taking security seriously, you need to provide some evidence so that they have a reason to believe you.