.GIF garage Imgur plugs 1.7 million-subscriber creds breach

Three years and no one noticed they had been breached? Is this bad management, off-shored IT Security, or just plain incompetence?

If someone gets through security and just copies some files there isn't really anything to "notice" until/unless the miscreant in question starts to publically do something with the thieved data. Skiddies like to brag about system breaches or dump/sell the results, but I suspect professional thieves mostly keep quiet about it and use the data for targetted attacks on individuals in ways that can't readily be traced to the original leak (the people using passwords short enough to make brute forcing SHA256 feasible are likely the same ones reusing passwords for different accounts).

Unless it is published somewhere or someone tries to blackmail them, or a suspicious enumeration pattern is detected, then why is it such a surprise that the vendor wouldn't know? If whatever IDS they use (or don't as the car may be) didn't detect the leak, then you don't know what you don't know. In a good deal of cases, the breached data might be circling but no-one knows the origin site. By all means, rouse on them for losing data that should have been private, but that turnaround time is impressive.

We don't yet know how they were breached. It's a little early to draw any conclusions.

"Three years and no one noticed they had been breached? "

Netcraft says it's running Linux. Trying to secure that on the internet is like trying cork the holes in a colander...

Re: no PII but

only "paranoid" keep different emails for distinct "junk" accounts

Why would you not do that? You don't need to be paranoid about security, just pissed off with spam. Even if you don't use your own domain let Google or Microsoft choke on the spamverts, just use a given address for a couple of months then set up a new one.

An address to be used for a service you're going to keep using needs to survive for longer than that so make it unique to that service. If it leaks to spam you can discontinue that particular address and either set up a new one or drop the service.

Re: no PII but

You mean everyones email is not johnsmith1978(at)hotmail(dot)com?

Re: SHA-256 brute force?

Depends if they have a crib or not. If I was in the business of stealing data like this I'd be sure to sign up to the service first so I know the plain text for at least one hashed password in the cache, with that's it's relatively easy to brute force the salt and once you have the salt it's not too tricky, processor intensive and time consuming, but not technically challenging.

Re: SHA-256 brute force?

Assuming salt was used it would be very difficult to brute force such stored passwords.

Plenty of systems like this use the email address as salt (utility: close to zero, especially in a case like this) so the issue comes down to brute forcing the passwords using rainbow tables. On that basis, you can crack a typical password in seconds and that's without counting the inevitable instances of "qwerty12" and "Password1"[1].

[1] And "p@$$w0rD!" isn't significantly stronger. l33+ speak passwords should be banned. They're a menace. You're much more secure with a long password comprised of only lower case alpha characters because you're less likely to need to write it down. Personally, I've just retired: "isthisadaggerwhichiseebeforeme".

Re: "most awesome" my a*se!!

Well, the sub-head does say "self described" so any business with a half conscious marketing bod will have claim some such puffery. Even a fully conscious marketing bod will still lack the self-awareness to realise how naff it is.