Hash those Passwords

Spry recently had an embarrassing security breach, in which several email addresses and passwords were stolen.

To start with it appears that the breach was made through some malware/spyware installed on an employee's office computer. His username and password for the billing system were stored in a document unencrypted on his computer. This information was used to access parts of our billing system that, in retrospect, should have been protected better. There are many tools that we can use to limit the access to sensitive information, unfortunately the measures we had already implemented fell short of stopping this specific type of breach.

We are certain that credit card numbers were not exposed, however we do know that a limited number of email addresses and plain text passwords were exposed. We highly recommend that if your PayPal password was the same as your Spry password that you immediately change it.

http://blog.spry.com/2007/11/14/security-breach/

There are at least two things that would have helped Spry here:

• Hash those passwords - when you store a password, you shouldn't store the plain text password it should be hashed. If for some reason you need to be able to recover the password then you should encrypt it.
• Apply the Principle of Least Privilege - My guess is that the Employee who stores his password in a word doc on his computer shouldn't have needed access to customer's passwords.

This also shows that large web hosting environments are not as secure as you might think they would be.