Syrian Electronic Army Pulls 1 Million Credentials From Forbes

This Monday it was revealed that the Syrian Electronic Army, known primarily around the web as SEA, had infiltrated the username/password database of the online magazine Forbes. In total they were able to snag just over one million accounts, and although the stolen passwords are encrypted, users should still be wary as their details could still be under threat.

Forbes was quick to respond to the situation by naming SEA as the prime conspirators in the attack, and warning anyone who had an account on the site that they should change their passwords immediately.

“The email address for anyone registered with Forbes.com has been exposed. Please be wary of emails that purport to come from Forbes, as the list of email addresses may be used in phishing attacks. We have notified law enforcement. We take this matter very seriously and apologize to the members of our community for this breach.”

Security firm Sophos has reported that the passwords swiped during the heist are protected in the PHPass Portable format: each password and a random 6-byte salt were run through the MD5 algorithm to generate a hash, and 8,192 iterations of MD5 were performed on the hash and the password. Once these layers were laid down, the password was finally tucked away on the financial magazine’s home database.

Much like the Adobe hacks, it’s the particularly weak passwords that are cause for the most alarm in these situations. When users utilize credentials as trivial as “123456” as their password, this opens their other accounts across various popular platforms; social media, email accounts, extracurricular services, to the same problems they ended up with at Forbes.

Sophos wasn’t shy about how long it took their team to crack through the encryption set on each password, claiming one core on a single laptop was able to crack 120 passwords in an hour to get the credentials they were looking for.

Granted, it turns out the majority of those cracked first were as simple as the name of the company they worked for, followed by a combination of digits no longer than four characters each, i.e- “Forbes254”.