Gmail, Yahoo, MSN Passwords Exposed By Entertainment Site

Los Angeles Splash Magazines Worldwide, which publishes local versions of its magazines under URLs like NYCSplash.com and LASplash.com, has exposed the personal e-mail addresses and passwords for hundreds of its subscribers. The list of e-mail addresses and passwords for members' Gmail, Hotmail, Yahoo, and other accounts would turn up in the results of unrelated Google searches Monday if those searches happened to contain at least two keywords that matched the names of Splash members. Splash founder Larry Davis said in an interview that he was not aware of the security problem and did not know how it could have occurred. "We have a Webmaster who is supposed to know all about security," said Davis.

Splash's servers are co-located at a Los Angeles Internet hosting company called Calpop. However, Calpop co-founder Lynn Hoover said his company simply rents floor space and bandwidth to Splash and is not involved with the maintenance or operation of its Web sites. Hoover theorizes that the information could have been inadvertently exposed to the Web if the Google search spider happened to be crawling Splash's sites at a time when password-protected pages were open for editing or maintenance. Versions of the pages held in Google's cache would then be publicly available. Understandably, some Splash members are now worried they're going to get soaked by cybercriminals. It's definitely an issue Splash will be dealing with for quite a while. If you're a member, make sure to change your password before you go and write them an angry e-mail.

News source: InformationWeek

Report a problem with article
Previous Story

Samsung Announces 64GB Flash-SSD

Next Story

FileZilla 3.0.0 Beta 7

13 Comments

Commenting is disabled on this article.

I don't get this. Why, if it was the case of something being fixed, would a part of the site that has anything to do with passwords be in a public area if it was being developed/tweaked/fixed... etc?

Ya the article is worded incorrectly. Its the email addresses that the user signed up with exposed and the password for there account that is exposed also. Though majority of people use the same password when signing up for sites as the password for there email login.

So you potentially could get your e-mail hijacked if you did use the same password to login to there site OR just they now have more email addresses to spam at. Not sure what information they could get once they login to your account though either, credit card info? Dunno

If you're a member, make sure to change your password before you go and write them an angry e-mail.

That line makes it sound to me like the site's user database and passwords were exposed, not their actual email address passwords. If I am wrong, then the company needs to get their act together.

WHAT THE HELL! Yes like OPaul said, why does ANYONE other than Microsoft, Google or Yahoo have email account passwords?!?!?!!?!

This is so bang out of order. I'm not a subscriber of this particular magazine, but I'm both furious and worried that details of my email accounts or indeed something slightly more serious like bank accounts could bein the wrong hands.

ALSO

"We have a Webmaster who is supposed to know all about security,"

That's not an excuse! They shouldn't even have access to them details in the bloody first place! Never mind "not exposing them". Boils my blood!

Exactly. I don't understand how another company could have access to these user names and passwords.

There seems to be some mix up on the press side. I think the magazine would use these email addresses as user names but their passwords are not necessarily the passwords to the email accounts (unless the user used the same password).

Maybe the online magazine website allows you to check your email via their site? I don't know- I'm just speculating. Either that, or the press got the info confused, like someone else suggested.

OPaul said,
Why does an online magazine company have Gmail, Yahoo and MSN passwords?

Yeah that makes no sense....If any website not associated with my online email asks for my email password it is not worth using IMO

It makes perfect sense actually. Most sites use your email address as your username. And most idiots use the same password for several sites. Thus the password to login to the online magazine company is the same as the users email password.

Should be changed to:

"We thought we had a webmaster who knew all about not exposing email addresses and passwords"

"We have a Webmaster who is supposed to know all about security,"
Should be changed to:
"We used to have a Webmaster who is supposed to know all about security"

markjensen said,
Should be changed to:
"We used to have a Webmaster who is supposed to know all about security"

Better still:

"We used to have a Webmaster who supposedly knew all about security"