Important Information about a Ravelry Security Breach

Posted on by Dissent

Via DataLossDB.org:

From: “Ravelry”
Date: Jun 6, 2011 2:41 AM
Subject: Important information about a security breach at Ravelry.com
To: [redacted]

(Wondering if this email is real? You can also see a similar notice by logging in to Ravelry.com)

*Important Information about a Ravelry Security Breach*

Dear Ravelry member,

An attacker recently managed to break in to one of Ravelry’s secondary servers. Once inside, they were able to access user names, *encrypted*passwords, and possibly email addresses. Your passwords could not be seen and no financial or other sensitive information was accessed as we do not collect or store this type of data.

We think that it is important to be overly cautious and we need you to change your password on Ravelry and on any other sites where you’ve used the same or similar password, even if you used different usernames. Because passwords were encrypted, we do not think that your password has been exposed but it is important to change your passwords just to be safe. There is a chance that some passwords could be decrypted given enough time and computer power and we don’t want to put anyone at risk.

You can change your password by logging into Ravelry (http://www.ravelry.com) and clicking the “change your password now” button on the security notice on the front page. You can also change your password by editing your profile:
click your username in the upper right of the page to access your profile, and
click “edit your profile” to change your password. If you do not remember your Ravelry password, and you have tried any passwords you may use on other sites, you can click “I forgot” on the Ravelry homepage to receive a link for changing your password. If your browser is remembering your password, you will need to
log out to access that option.

*If you would like to delete your Ravelry account, *you do that by going to the change password page mentioned above and using the “Delete my Ravelry account” link.

*More information regarding the security breach,* including the steps we are taking to make Ravelry more secure, can be found in our full notice at http://www.ravelry.com/?showletter=1. Additionally, we are listing answers to Frequently Asked Questions and fielding further questions in our forums . You are also welcome to reply to this message if you have any questions or concerns.

We are deeply sorry that this has happened. We care very much about everyone on Ravelry and we’re taking steps to make sure that we are all more safe from this sort of attack.

We are also very sorry that some people who are not active members may have been affected. If you’d like to delete your Ravelry account, please use the information above to do so.

Casey, Jess, Mary-Heather and Sarah

Nice. A bunch of knitters and crocheters knew to encrypt passwords when Sony didn’t?

Category: Breach IncidentsMiscellaneousU.S.

2 thoughts on “Important Information about a Ravelry Security Breach

  1. It’s doubtful that they actually encrypted the passwords. More likely, they were *hashed* which is not really encryption but is pretty good security and an industry standard when it comes to protecting passwords. I’ve heard people referring to hashing as encrypting, possibly because the general public is not as educated about what hashing is.

    In a hash, a string of characters is converted into another string of random characters; thus is your password “hidden” or “encrypted,” if you will. Where it differs from encryption is that the same string of characters will *always* generate the same random characters: if you go down a list of hashed passwords and find two of them that are identical, it’s because the passwords were the same to begin with.

    (There is a chance that two different strings will end up with the same hashed result, but the odds of it are so miniscule you can safely ignore it — a la the odds of your pinky finger being hit by an asteroid. Under no circumstances will the same string result in two different hashes).

    This is how the hackers “decrypt” the passwords: they run their own list of made-up passwords through the same hash algorithm and compare the results to a list of stolen “encrypted” passwords. There are also pre-computed tables of hashed password results sometimes called “rainbow tables” that can be found on-line.

    Why are hashes used? Due to its speed over other security tools, including encryption. What most companies do is store the hashed password. When a user to a service provides their password, that’s also hashed and then compared to the stored hashed password. If there’s a match, you get in. If not, try again.

    As far as I can tell, it seems that Sony did use hashes to protect their data. It’s just that they’ve never referred to it as “encryption.”

    The guy below has a pretty good explanation of hashing and an example of an actual hashed result for the word “sausage.” As you can see, it’s pretty random.

    http://www.mobileprivacy.org/2011/04/sony-psn-data-breach-plain-text-vs-hashed-passwords-explained/

    1. I think Sony did use hashed passwords in at least one of the databases, as I recall seeing something by the hackers as to how easy it was to reveal them, but in other databases, I think the hackers reported that they weren’t even hashed.

      Thanks for your nice explanation of the differences!

Comments are closed.