Today I was greeted by the following e-mail in my inbox:
EH-Net Compromise Disclosure
EH-Net was compromised a few months back, and we are asking all members to immediately change their passwords. Although we do not hold any sensitive data such as social security numbers, credit card numbers, date of birth, etc., we still realize that, although it is not recommended, some members may use the same password for social sites such as our as they do for more personally sensitive sites. If this is the case, please immediately change those passwords, too, and make both follow complexity guidelines.
We apologize for the late notification, but while we were in the process of cleaning the mess, we did not want the attackers to be notified. Our intention was to prevent multiple notifications and required actions by our members. Although we feel very comfortable in the status of the site and had planned on notifying all members, someone beat us to the punch. http://www.milw0rm.com/papers/297. We are providing this link, so that our members can see that a select few accounts and their passwords have been released to the public. We do not know how many more they have or will make public. This makes it even more urgent to change your passwords.
We apologize for any inconvenience this has caused. Although many other sites have experienced the same issues, and we are clearly a target based on the content of the site, this in no way excuses us for this incident.
Donald C. Donzal
Editor-in-Chief
The Ethical Hacker Network
Pretty sad. I enjoy their challenges. This goes to show that you have to be always vigilant and assuming that your site is “unhackable” is a very dangerous attitude.
One response to “EthicalHacker.net compromised”
I agree with what kurt said in his blog. Months? Really? And even then, the prompting was someone beating them to the punch in milw0rm? So, if that hadn’t been posted, would we have never heard a thing? Sure, those accounts are probably low value, but still.