back to article Gutted: 6.6M cleartext creds, dox, breached in ClixSense site hack

Cleartext passwords, real names and user names, email addresses plus and IP addresses for 2.2 million users of cash-for-surveys site ClixSense have been dumped online, with a further alleged 4.4 million up for sale. The records also include the pay outs the site has handed each breached user, Australian researcher Troy Hunt …

  1. Destroy All Monsters Silver badge

    In an upbeat twist they say ClixSense accounts are now "much more secure" without specifying security controls outside of password resets.

    Locking vents, building a flamethrower and looking for stray cats comes to mind.

  2. Jase 1

    It has taught us that regardless of what you do to stay secure, it still may not be enough

    I would suggest that doing jack shit does not really class as doing anything to stay secure - you stored passwords in cleartext and then have the balls to talk about it not being enough?

  3. John Stirling

    Oh for heavens sake...

    Massively upgraded security. There is now a clear instruction to press windows-L when they go to the loo.

  4. lukewarmdog

    "It has taught us that regardless of what you do to stay secure, it still may not be enough."

    An old server they weren't using still attached to the database?

    Nobody thought to unplug it?

    I'd suggest they weren't doing anything to "stay" secure which is definitely nowhere near enough..

    1. Anonymous Coward
      Anonymous Coward

      Re: An old server...

      The attackers supposedly accessed the database via an old server.

      I'll be generous and assume access was via a SQL injection via a web page rather than SSH access/an application compromise based on the damage reported.

      Questions are:

      a) should the server have been decommissioned?

      b) if the server was still required, should access from the internet been removed to prevent it being abused?

      c) was the old server being patched and applications upgraded or was it abandoned?

      d) are they sure the compromise was just SQL access or is the server now totally owned and any passwords/SSH keys now controlled by others. Plus any servers that could be reached by jumping off the first server via common credentials?

      It feels necessary to ask about (d) because the first three questions hint at a degree of carelessness...

  5. Terje

    Hmm, cleartext passwords and secure... I don't quite see those two matching one another unless you put a "not" in the middle.

  6. Sebastian A

    Surely any business that gets caught storing passwords in plain text deserves to be shut down no questions asked. How can this still be happening?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2022