CNET user database stolen by Russian hacking group, auctioned for $600

Of all the sites you'd expect to get hit by a security exploit, a website dedicated to computers and technology is not one of them. But CNET learned the hard way on Monday that editorial focus is no substitute for proper security.

According to CNET itself, a database of usernames, emails, and encrypted passwords belonging to over 1 million users was lifted in an apparent exploit by a Russian hacker group known as 'w0rm'. CNET has acknowledged culpability for the attack, saying that the database was lifted when the hacker penetrated a hole in the Symfony PHP Framework, which was wrongly implemented by CNET. But despite w0rm's wrongdoing, the group's goals are only somewhat malicious: CNET says that w0rm hacked its site "to improve the overall security of the Web" -- an oft-used catchphrase by grey hat hackers far and wide -- and that users would likely not be at risk.

Despite its claims of decency, w0rm still plans to sell the database for a king's ransom -- one Bitcoin. That's around $600 in regular currency, which is a bit low considering the number of people affected, but just enough for an aspiring hacker to pay without his mother noticing the charges on her credit card.

Source: CNET | Image via @rev_priv8

Report a problem with article
Previous Story

Microsoft announces shipment of second-gen Kinect for Windows and SDK 2.0

Next Story

Microsoft in talks to buy Israeli cybersecurity startup for $200m

38 Comments

Commenting is disabled on this article.

the log in / join link button link has been removed. I can't even remember if I have a CNET login. I barely visit the site but I wanted to check the forgot password feature if any of my email addresses is available

> Despite its claims of decency, w0rm still plans to sell the database for a king's ransom -- one Bitcoin. That's around $600 in regular currency, which is a bit low considering the number of people affected, but just enough for an aspiring hacker to pay without his mother noticing the charges on her credit card.

So many contradictions in this one paragraph, it doesn't even make sense.

And anyone who wouldn't notice a $600 charge on a credit card shouldn't have one.

Oh well that site is full of link bait articles and 98% of the users are wannabe fanboi's or trolls I'm surprised the user list is worth that much.

Yep, I use KeePass to do the same thing. Random passwords using the complexity I designate, stored in an encrypted file on my hard drive. Once I open it though I can just copy and paste the passwords over if I need to log back in to something.

Gerowen said,
Yep, I use KeePass to do the same thing. Random passwords using the complexity I designate, stored in an encrypted file on my hard drive. Once I open it though I can just copy and paste the passwords over if I need to log back in to something.

Only Reason I dont use KP is i have so many devices that need it all sync'd up :(.

I also suggest random usernames and email addresses by google randomized with a "." since you can place and remove any . in an gmail address and it is still the same address. Shame I just started doing this a year ago

Man I don't even know half the sites I'm a member of anymore. When you've had an online digital footprint stretching back nearly 20 years, paired to multiple email addresses, it's impossible to remember them all.

I hear that!!

I know I had a CNET account at one time, but don't think I ever signed into more than once or twice after I created it!!

Aheer.R.S. said,
At that time, I joined any forum that offered help especially with xp, this site offered more so I forgot about cnet

For what it's worth, I'd take this site over CNET any day. :p

Admittedly, however, there are some pretty nice news entries on CNET from way back when Windows Vista was still known as Windows "Longhorn". That's the only reason I visit CNET today . . .

Ian William said,

For what it's worth, I'd take this site over CNET any day. :p

Admittedly, however, there are some pretty nice news entries on CNET from way back when Windows Vista was still known as Windows "Longhorn". That's the only reason I visit CNET today . . .

I used to read tech news from CNET before I came here. Thank god I changed my password to something weak over there before this incident.

Aheer.R.S. said,
Well, changed my password just in case
And no that doesn't mean I've changed it to 'just in case' :p

I don't think it will matter. I can't see them or whoever collects the database, want to access some guys account. It's probably going to be the email list anyone will want for spamming/advertising.

Sammyinnit said,

I don't think it will matter. I can't see them or whoever collects the database, want to access some guys account. It's probably going to be the email list anyone will want for spamming/advertising.

Gee, thanks, for a moment I was feeling special.....

Have experience in this field do we? :shiftyninja:

Roger H. said,
password1 is always the best new password after you've been told to change your old one of simply: password.

:rofl:

Password3 throws them for a loop. They never expect the gap.

Correct but I'm betting a lot of websites do not store user details in a secure manner and leave it that way because 'it works' and it is cheaper to leave it that way than to update it and make it secure.