SitePoint is an online portal which provides some great tutorials on web development. It recently went through a security breach and lost a considerable amount of user data. This was a rare case in the sense that the user did not use the stolen data for personal gain or other malicious activities, but put it up for sale on a cyber-crime forum for the world at large.
How the SitePoint case developed
SitePoint formally announced its data breach and expanded upon the data which was lost. The names, email IDs, usernames, encrypted passwords and IP addresses of 1 million users were compromised.
In order to keep the users from panicking, SitePoint issued a public statement that the compromised encrypted passwords would not be of much use to anyone even if they fell into the wrong hands. This is because the passwords have been hashed with strong encryption algorithms of ‘bcrypt’ and ‘salt’. It would take the hackers plenty of time to unravel the encrypted long strings to plain text.
Upon further investigation, SitePoint came to the conclusion that the hackers gained illegal access to their sensitive data via a third-party tool used to connect to and monitor GitHub’s account. While the tool remains unnamed, SitePoint confirms that others have fallen prey to it by the same group of hackers before. They too had their data breached and sold to the public.
“This [tool] allowed access through our codebase into our systems. This tool has since been removed, all of our API keys rotated and passwords changed,” the company said.
As a precaution, SitePoint suggests its users to change their account password if they have also used it for other accounts elsewhere.
Key Takeaways
There are lessons to be learned from every case, no matter the market niche.
Audit and screen all third-party services you use
You may dabble in the technology of your website yourself, or hire a website developer. Whatever the case, it will serve you well to have a basic understanding of how external platforms (like Github in this case) communicate with your systems. If there are API calls, are they secure? Do they make data requests that expose your sensitive data? Someone with technical expertise can obtain and analyse this information for you. It is an effort worth undertaking.
Revisit your password policies regularly
Have you ever watched fugitive action thrillers? There’s a reason the hero who wants to evade capture is constantly on the run: they don’t want to get caught. The same is true for your passwords. Believe it or not, once a hacker locks you in as a target, they will go to absurd lengths to know details about you using which they can guess at your password. If you keep changing your passwords regularly, it makes it that much harder for criminals to steal your credentials.
Also, never use the same password for two different accounts.
Perform security scans of your website from time to time
Cyber-attacks can be reversed, but what one cannot undo is the loss of trust. We suspect SitePoint will lose a chunk of its audience post the attack. You work so hard to generate quality content. You rinse and repeat to make sure it is perfect for your audience. However, your website is the channel through which you deliver your high-quality content. If that takes a hit, the rest of your efforts stop mattering. Don’t let this happen to you. Protect your brand image from stains by performing frequent website security assessments. We discuss cases like this one from time to time, so a large number of people can benefit from our assessment. To get access to more such security resources, visit our security blog.