Your daily round-up of some of the other stories in the news
Hackers steal 17m passwords from restaurant app
Restaurant app Zomato warned its users around the world on Thursday that it had reset the passwords of about 17m of its users whose details had been stolen from the Indian start-up’s database.
Zomato, which has more than 120m users every month, moved to reassure people that no payment details had been stolen, and said that because some 60% of its users log in via third-party OAuth services such as Facebook or Google, that the company didn’t even have password details for those people. It added that for those passwords it does have, they’re protected by hashing “with a one-way hashing algorithm, with multiple hashing iterations and individual salt per password”.
However, Zomato didn’t say which hashing algorithm it uses, and Motherboard reported on Thursday that “according to a sample of alleged Zomato data posted on the dark web, and additional samples the alleged hacker gave to Motherboard, Zomato used an outdated algorithm to hash its customers’ passwords and only took other, minimal, precautions”.
Zomato later said that the alleged hacker had been “very co-operative”, asking the company to “acknowledge security vulnerabilities in our system … his/her key request was that we run a healthy bug bounty program for security researchers”.
No laptop ban from Europe
Good news for travellers to the US from Europe: officials from the EU and the US have decided not to extend the ban on devices bigger than a smartphone in aircraft cabins, though they did say that other security measures were being considered.
The move is also good news for those who aren’t keen on the thought of an aircraft hold full of the lithium batteries of checked laptops, tablets, Kindles etc: lithium batteries have a habit of bursting into flames.
However, talks on airline safety will continue in Washington DC next week to “further assess shared risks and solutions for protecting airline passengers whilst still ensuring the smooth functioning of global air travel”, said the European Commission.
The airline industry had warned that extending the ban to flights from EU countries could cost more than $1bn in lost productivity and cause chaos at airports in the busy summer holiday period.
Lawmakers warned of hacking attempts
A small number of British MPs and their political staff were targeted in an attack by what “a senior security official” told the Financial Times was likely to have been the work of a nation state.
The threat is still present, the security official said. The MPs and their staff had been sent phishing emails designed to get them to reveal login details to accounts.
The UK’s spy agency, GCHQ, has asked Britain’s election regulator, the Electoral Commission, to warn candidates in the upcoming general election to be vigilant about the threat from hackers.
That warning comes as concerns remain about attacks on last year’s US presidential election and on the new French president Emmanuel Macron during his campaign, thought to be the work of the Russian hacking group Fancy Bear and designed to meddle in the outcome of those elections.
Catch up with all of today’s stories on Naked Security
Laurence Marks
Shouldn’t the use of an individual salt per password make password recovery difficult, even if the hashing algorithm was weak?
Laurence Marks
“…because some 60% of its users log in via third-party OAuth services such as Facebook or Google, that the company didn’t even have password details for those people.”
Now I’m wondering: Is it safer to use an OAuth service (I have a Google account, will never have Facebook) or to have a batch of individual passwords? If the Google password does get compromised (Google gets hacked or I fall for a phishing attempt), there’s much more at stake. If the password is compromised to Joes-not-very-good-security-online-store, that’s all I’ve lost.
I will admit that I’ve taken to using PayPal when ordering small electronic parts from Chinese companies, rather than using my credit card. Any reason why this is not a good idea?
Mark Stockley
We were debating this amongst ourselves a few weeks ago. I think Duck may even have mentioned it in a Facebook live video.
My personal take is that it probably depends on how good you are at creating really good passwords. For people currently reusing passwords using a single sign-on vendor is probably a significant upgrade, particularly if you have 2FA enabled.
Facebook, Google and Twitter are conspicuous by their lack of data breaches and password compromises and Facebook does some excellent work in the area of password security. I’ve never had a Facebook account, I don’t like it one little bit, but I would trust any of those vendors to keep my password secure.
Better than that, in my opinion, is a password manager. This allows you to maintain really strong passwords for every account. This is still a single point of failure though and all password managers don’t work the same way. One that doesn’t store data online is likely to be less useful but harder to compromise. Again, 2FA is a must.
Best of all is keeping all of your long, randomly generated passwords in your head but most of us have upwards of 25 accounts and normal brains so it’s all but an impossibility. That being the case we each have to decide on the least worst compromise.