Friendster hacked?

bobpullen · 04-04-2007

Looks like friendster.com may have suffered a security breach. More info here.
Found that site after receiving a spam email yesterday containing a password that I commonly use!

Bob Pullen
Plusnet Products Team
If I've been helpful then please give thanks ⤵

dvorak · 11-01-2008

never been on friendster... thankfully because after the m&s, play and psn issues would have been the final straw..

Customer / Moderator / If it helped click the thumb / If it fixed it click 'This fixed my problem'

phil4 · 13-12-2007

http://www.theregister.co.uk/2011/06/02/friendster_password_hack_fears/
Lessons:
a) Don't use the same password for important sites as unimportant.
b) Be wary of what data you put into a system/site.
c) Trust no one.
I guess Bob might now see why people like me have been questioning of PN's own storage/access of details (Eg. the whole "why do the CS people need to ask me my password" debate).

bobpullen · 04-04-2007

Quote from: phil4
a) Don't use the same password for important sites as unimportant.

Which I don't thankfully, but I'll admit to using the Friendster password for a lot of eCommerce sites etc. that may/may not store my payment information depending on who they are. I've been compiling a list of passwords I need to change and it's becoming pretty lengthy!
Storing passwords in plain text is a far cry from our support agents having access to your Plusnet credentials (which are fully encrypted and stored in a database that resides on a fully PCI-compliant network).

Bob Pullen
Plusnet Products Team
If I've been helpful then please give thanks ⤵

gswindale · 05-04-2007

Bob - is it the full password that is requested when customers ring up?
If so, then that is wrong and should be stopped.
You should only ask for certain characters (similar to online banking logins, my mobile phone provider when I ring them up). That can still be validated against the customer and removes the need for the password to be transmitted "in the clear".

pjmarsh · 06-04-2007

Plusnet have only ever asked me for 2 characters from my password when I've contacted them.
Phil

Mav · 06-04-2007

I've only been asked for the last two characters when I've phoned PN.

Forum Moderator and Customer
Courage is resistance to fear, mastery of fear, not absence of fear - Mark Twain
He who feared he would not succeed sat still

bobpullen · 04-04-2007

Quote from: geofftswin
Bob - is it the full password that is requested when customers ring up?

No, it will typically be two characters as others have alluded to.

Bob Pullen
Plusnet Products Team
If I've been helpful then please give thanks ⤵

gswindale · 05-04-2007

two characters is probably ok, but I am slightly concerned by Mav's post that suggest they're always the last 2 characters.

Denzil · 31-07-2007

Nope, when I rang them recently it was some other random combination.

jelv · 10-04-2007

Quote from: Bob
I've been compiling a list of passwords I need to change and it's becoming pretty lengthy!

I've been using http://keepass.info/ for some time now and use it to generate passwords. I don't even try to use passwords I can remember for anything except those I have to key regularly (e.g. Windows password for unlocking the work PC when the screen saver has kicked in).

jelv (a.k.a Spoon Whittler)
Why I have left Plusnet (warning: long post!)
Broadband: Andrews & Arnold Home::1 (FTTC 80/20)
Line rental: Pulse 8 Home Line Rental (£13/month)
Mobile: iD mobile (£4/month)

phil4 · 13-12-2007

Quote from: Bob
Quote from: geofftswin
Bob - is it the full password that is requested when customers ring up?

No, it will typically be two characters as others have alluded to.

As mentioned, a couple of times now I've been asked for the full password.