UserVoice Security Incident Notification (opens in new tab)

(community.uservoice.com)

8 pointsRossP9y ago13 comments

13 comments

Another thread on the incident report here: https://news.ycombinator.com/item?id=11664713 https://status.uservoice.com/incidents/fb7ml8b3nphf

There's a bit more info in this one about exactly what was compromised though. While I can understand the abundance of caution in resetting passwords despite only hashes and salts being lost, it is odd that they would "[presume] the attackers may be able to decrypt the passwords," assuming they're using strong encryption.

runesoerensen9y ago

I wouldn't call resetting passwords an "abundance of caution" in this case. It's very likely that the attackers are able to retrieve passwords when they have the SHA1 hash and the salt (not exactly by decrypting though).

Here's a good blog post how and why this is problematic: https://www.troyhunt.com/our-password-hashing-has-no-clothes...

tempestn9y ago

Do they say somewhere that they're only using sha1 though? That's sort of what I meant: if bcrypt or scrypt is used, with an appropriate work factor, the risk should be very minimal. The fact that they're assuming it's not suggests they are using weaker encryption.

1 more reply

RossPOP9y ago

"In late April, the UserVoice security team learned that an unauthorized party illegally accessed one of UserVoice’s backend reporting systems and was able to view user data on a small subset of users. The user data includes name, email, and a hashed password and salt. Unfortunately, the passwords were hashed with the SHA1 hashing algorithm, which by today’s standards is considered weak. As such, we’re resetting the passwords for all users in our database."

Further information: https://status.uservoice.com/incidents/fb7ml8b3nphf

nacs9y ago

Just got an email from Uservoice about this.

Apparently I'm part of the "0.001%" that was affected in the breach.

tempestn9y ago

It seems likely that they're estimating that percentage, but don't know specifically which accounts were compromised.

nsgf9y ago

Me too. Maybe 0.001% is not accurate.

snoonan9y ago

seconded. I got one too. It seems unlikely we'd converge here if it was only a tiny fraction of users...

1 more reply

j / k navigate · click thread line to collapse

13 comments

tempestn9y ago

Another thread on the incident report here: https://news.ycombinator.com/item?id=11664713 https://status.uservoice.com/incidents/fb7ml8b3nphf

runesoerensen9y ago

Here's a good blog post how and why this is problematic: https://www.troyhunt.com/our-password-hashing-has-no-clothes...

tempestn9y ago

1 more reply

RossPOP9y ago

Further information: https://status.uservoice.com/incidents/fb7ml8b3nphf

nacs9y ago

Just got an email from Uservoice about this.

Apparently I'm part of the "0.001%" that was affected in the breach.

tempestn9y ago

It seems likely that they're estimating that percentage, but don't know specifically which accounts were compromised.

nsgf9y ago

Me too. Maybe 0.001% is not accurate.

snoonan9y ago

seconded. I got one too. It seems unlikely we'd converge here if it was only a tiny fraction of users...

1 more reply

j / k navigate · click thread line to collapse