On May 21, 2010, Skyrock informed users of their social network and blogging platform to change passwords (mots de passe), because of an intrusion detected on May 19. Skyrock does not know what the intruder accomplished. If the password list was stolen, then the passwords of all 32 million users were compromised because they were stored as plaintext.
What should you do if you are a Skyrock user? What should you do if you are not a Skyrock user?
Skyrock is a leading social network site and blogging platform in France, Belgium and Switzerland and the seventh largest social network in the world. The number of accounts that were potentially compromised have been variously reported between 30 million and 38.5 million.
Social networks with advanced blogging platforms such as Skyrock are a prime target, because successful attackers can steal your identity, install malware on your account, trick your friends into installing malware, and/or break into any other account you own that uses the same password.
If You are NOT a Skyrock User
If you don’t use Skyrock, you should be concerned. Any Skyrock blog you visit could potentially inject malware into your browser. I discuss defenses for browser-based attacks here. Expect an increase in the amount of e-mails or facebook messages from friends asking you to click a link, watch a video, install something, or send money. If you receive such a message, be very cautious. Verify it is really coming from your friend before taking any suggested action.
If You ARE a Skyrock User
If you are a Skyrock user change your password (mot de passe) immediately. Also change your passwords on all other services for which you were using the same password. If you don’t, there is a good chance that all of your accounts will be taken over that use this password, using the method I describe here.
If you have a different password for each of your accounts, the damage from this attack will be minimal. Simply change your Skyrock password and you’re done.
A Better Way to Manage Your Passwords
Most people use the same password for multiple accounts, because it is hard to remember more than a few passwords. This is not a good idea, as many Skyrock users are about to find out.
Earlier this month, I described an easy way to keep track of a different password for each account, here. Use a password manager to assign unique passwords at least 15 random characters long for all accounts, protecting them all with a strong master password. Sounds hard, but it is actually easy to do, and you save yourself time in the long run.
FilterJoe is not a news reporting site so posts of this type will be rare. I made an exception for SkyRock because it is such a large security breach, U.S. reporting of it has been scarce, and password security has been a recent focus on this site. If a few people improve the way they manage passwords as a result of reading this post, then the exception will have been worth it.