ISP hacked
-
Wow, I'm impressed. Brand new encrypting technology - UTF8 :laugh: But it's not strong enough (like Latin1 as well). I strongly recommend to use something like UTF32. You know, additional 24 bits make it harder to decrypt. Or they could just use Japanese or Arabic characters. This will mislead an intermediate european or american hacker.
UTF-8: Unexpected Technical Fault-8
-
There is no :doh: icon large enough to represent my feelings about this one. A professional hosting company should not be making that mistake.
Stats would say that only 500 addresses and passwords are "in the open", with the hackers claiming that they stole 16Gb worth of data. News said that 225000 people (out of 2 million) have changed their password "already". ..damn, we're fast acting people 'ere, with all our modern technologies :suss:
Bastard Programmer from Hell :suss:
-
Moved my primary mail to the ISP, since I'm feeling tracked on Google. KPN, the largest ISP in the Netherlands, has been hacked as they put it. I just received an email telling me that I should reset my password, simply because those were leaked too. The largest Dutch ISP has not yet learnt how to securely store a password. No, that's not even the reason for posting in the Hall of Shame; right after this mess they claim that they're "encrypting passwords" in UTF-8[^]. Tweet is in Dutch. Translated;
Passwords of KPN are encrypted using UTF8
I'll even be moving my money from the bank tomorrow unless they can prove that they're not saving my password in plain-text format.
Bastard Programmer from Hell :suss:
they should switch to base64. The extra factor of 8 makes it unbreakable for the foreseeable future. :)
Luc Pattyn [My Articles] Nil Volentibus Arduum
-
Stats would say that only 500 addresses and passwords are "in the open", with the hackers claiming that they stole 16Gb worth of data. News said that 225000 people (out of 2 million) have changed their password "already". ..damn, we're fast acting people 'ere, with all our modern technologies :suss:
Bastard Programmer from Hell :suss:
-
they should switch to base64. The extra factor of 8 makes it unbreakable for the foreseeable future. :)
Luc Pattyn [My Articles] Nil Volentibus Arduum
-
Moved my primary mail to the ISP, since I'm feeling tracked on Google. KPN, the largest ISP in the Netherlands, has been hacked as they put it. I just received an email telling me that I should reset my password, simply because those were leaked too. The largest Dutch ISP has not yet learnt how to securely store a password. No, that's not even the reason for posting in the Hall of Shame; right after this mess they claim that they're "encrypting passwords" in UTF-8[^]. Tweet is in Dutch. Translated;
Passwords of KPN are encrypted using UTF8
I'll even be moving my money from the bank tomorrow unless they can prove that they're not saving my password in plain-text format.
Bastard Programmer from Hell :suss:
What the **** They Saved password in plain test????????????
-
Moved my primary mail to the ISP, since I'm feeling tracked on Google. KPN, the largest ISP in the Netherlands, has been hacked as they put it. I just received an email telling me that I should reset my password, simply because those were leaked too. The largest Dutch ISP has not yet learnt how to securely store a password. No, that's not even the reason for posting in the Hall of Shame; right after this mess they claim that they're "encrypting passwords" in UTF-8[^]. Tweet is in Dutch. Translated;
Passwords of KPN are encrypted using UTF8
I'll even be moving my money from the bank tomorrow unless they can prove that they're not saving my password in plain-text format.
Bastard Programmer from Hell :suss:
I don't understand why everyone can't just stick with ROT13 - it's tried and tested AND has the advantage of being fully based on a prime number. :omg: Cheers :)
-
It is getting worser. After changing your password they'll send you the username and new password by snail mail. And the password is readable without opening the envelope.
This isn't actually as much of an epic fail as it appears, since users will presumably change their password immediately upon receiving the letter, so interceptors can only use the password for maybe a day. Considering they've already been hacked in plain text, that's not so bad. It is stupid and symptomatic of a complete failure of security policy, definitely, and pretty shameful. But, imo, not as bad as storing the passwords in plain text in the first place.
-
Moved my primary mail to the ISP, since I'm feeling tracked on Google. KPN, the largest ISP in the Netherlands, has been hacked as they put it. I just received an email telling me that I should reset my password, simply because those were leaked too. The largest Dutch ISP has not yet learnt how to securely store a password. No, that's not even the reason for posting in the Hall of Shame; right after this mess they claim that they're "encrypting passwords" in UTF-8[^]. Tweet is in Dutch. Translated;
Passwords of KPN are encrypted using UTF8
I'll even be moving my money from the bank tomorrow unless they can prove that they're not saving my password in plain-text format.
Bastard Programmer from Hell :suss:
Eddy Vluggen wrote:
The largest Dutch ISP has not yet learnt how to securely store a password.
Calm down; its just you ISP. Nothing has gone from your account, right?
Eddy Vluggen wrote:
I'll even be moving my money from the bank tomorrow unless they can prove that they're not saving my password in plain-text format.
In case they were, it will not only you whose account can be hacked. Take it easy. :)
Regards, Jwalant Natvarlal Soneji
-
Base64 is actually 6 bits encoding nothing to do with 64 bits.
I think he knows that...Check out the title of this forum?
Ideological Purity is no substitute for being able to stick your thumb down a pipe to stop the water
-
Moved my primary mail to the ISP, since I'm feeling tracked on Google. KPN, the largest ISP in the Netherlands, has been hacked as they put it. I just received an email telling me that I should reset my password, simply because those were leaked too. The largest Dutch ISP has not yet learnt how to securely store a password. No, that's not even the reason for posting in the Hall of Shame; right after this mess they claim that they're "encrypting passwords" in UTF-8[^]. Tweet is in Dutch. Translated;
Passwords of KPN are encrypted using UTF8
I'll even be moving my money from the bank tomorrow unless they can prove that they're not saving my password in plain-text format.
Bastard Programmer from Hell :suss:
I'm unable to see your link, because dropbox is not blocked here, but maybe what they meant was that UTF8 is the encoding used to store the encrypted charaters, which leaves 1114111 different characters possible if the UTF-8 specification is strictly followed.
"To alcohol! The cause of, and solution to, all of life's problems" - Homer Simpson
-
This isn't actually as much of an epic fail as it appears, since users will presumably change their password immediately upon receiving the letter, so interceptors can only use the password for maybe a day. Considering they've already been hacked in plain text, that's not so bad. It is stupid and symptomatic of a complete failure of security policy, definitely, and pretty shameful. But, imo, not as bad as storing the passwords in plain text in the first place.
-
This is a after a password change, not a password reset. They send you a letter every time you change your password, not only the first time. And one of the passwords is also used for account management, so this is really bad in my opinion.
-
Moved my primary mail to the ISP, since I'm feeling tracked on Google. KPN, the largest ISP in the Netherlands, has been hacked as they put it. I just received an email telling me that I should reset my password, simply because those were leaked too. The largest Dutch ISP has not yet learnt how to securely store a password. No, that's not even the reason for posting in the Hall of Shame; right after this mess they claim that they're "encrypting passwords" in UTF-8[^]. Tweet is in Dutch. Translated;
Passwords of KPN are encrypted using UTF8
I'll even be moving my money from the bank tomorrow unless they can prove that they're not saving my password in plain-text format.
Bastard Programmer from Hell :suss:
one can only hope this is the mistake of the internal communications team and not the Infrastructure Team writing this. My guess is the marketing group heard a acronym and confused the DB codepage with the encryption type... marketing people eyes tend to glaze over when technical jargon is slung around. Thats why we keep the pretty people away from the smart people. :)
-
one can only hope this is the mistake of the internal communications team and not the Infrastructure Team writing this. My guess is the marketing group heard a acronym and confused the DB codepage with the encryption type... marketing people eyes tend to glaze over when technical jargon is slung around. Thats why we keep the pretty people away from the smart people. :)
On the plus side, anyone who actually reads the notice will take the best security step possible. They will move to another ISP. This protects their password by putting it into the hands of people whod have not proven they are incompetent. Hopefully, this will cause a large number of marketing types to quit in disgrace and seek careers in the hospitality or food services industry.
The early bird gets the worm, but the second mouse gets the cheese.
-
Eddy Vluggen wrote:
The largest Dutch ISP has not yet learnt how to securely store a password.
Calm down; its just you ISP. Nothing has gone from your account, right?
Eddy Vluggen wrote:
I'll even be moving my money from the bank tomorrow unless they can prove that they're not saving my password in plain-text format.
In case they were, it will not only you whose account can be hacked. Take it easy. :)
Regards, Jwalant Natvarlal Soneji
Jwalant Natvarlal Soneji wrote:
Calm down; its just you ISP.
It's my primary email, and I was under the assumption that my data was stored securely.
Jwalant Natvarlal Soneji wrote:
In case they were, it will not only you whose account can be hacked. Take it easy.
2 million accounts, and this is not something you can simply shrug of. The information on secure passwords is freely available on the internet, and I'm paying a generous amount for the service. This kind of amateuristic crap shouldn't happen.
Bastard Programmer from Hell :suss:
-
I'm unable to see your link, because dropbox is not blocked here, but maybe what they meant was that UTF8 is the encoding used to store the encrypted charaters, which leaves 1114111 different characters possible if the UTF-8 specification is strictly followed.
"To alcohol! The cause of, and solution to, all of life's problems" - Homer Simpson
-
It was saved in plain text, otherwise they didn't need to send a mail to 2 million people telling them to change their password.
Bastard Programmer from Hell :suss:
That's not the only reason to send a mail to everyone to change their password. This typically happens in any case of a breach, because encrypted or not the password is compromised.
"To alcohol! The cause of, and solution to, all of life's problems" - Homer Simpson
-
one can only hope this is the mistake of the internal communications team and not the Infrastructure Team writing this. My guess is the marketing group heard a acronym and confused the DB codepage with the encryption type... marketing people eyes tend to glaze over when technical jargon is slung around. Thats why we keep the pretty people away from the smart people. :)
-
That's not the only reason to send a mail to everyone to change their password. This typically happens in any case of a breach, because encrypted or not the password is compromised.
"To alcohol! The cause of, and solution to, all of life's problems" - Homer Simpson
