Security breach at scan! Consider at least changing passwords

[naturbo2000]

A few weeks ago I started receiving spam emails to my scan-only email address. I know there has been a thread regarding the release of scan customer details to Revoo: http://forums.hexus.net/scan-care-he...l-details.html, but this new issue is much more significant.

Today I received a spam email to the same email address, containing my scan password IN PLAIN TEXT in the To: field. I can be quite certain that this is a security breach as I have two scan accounts and both were breached in exactly the same manner.

The received email was addressed in the form:
from: junk_email_address
to: Password <scan_email_address>
subject: Looking for Manager


I reported the original breach to scan customer services and was assured that no password or credit-card details could have been obtained. Clearly at least the first part of that response is not true. I have updated scan on this matter, but thought it prudent to inform as many customers as possible to at least change their scan passwords.


I've provided an update with a bunch more information in post #63: http://forums.hexus.net/scan-care-he...ml#post2717413

[SUMMONER]

Surely Scan would not store passwords in plain text!?

[naturbo2000]

That's what I thought, but for 2 separate accounts, with two separate email addresses and passwords, I have two spam emails with the account password included...

[Disturbedguy]

Has anyone else received these e-mails?
I have checked my mail and haven't received anything

[watercooled]

Nope, just checked myself, but I did clear my spam folder about a week back so can't be sure.

[naturbo2000]

Has anyone else received these e-mails?
I have checked my mail and haven't received anything

My emails forward to gmail which did spot them as spam (i.e. you would have to check your spam folder). I can't tell you any details of the original emails - I've deleted them - but the most recent emails were sent at 6:27 and 6:44 this morning.

[peterb]

I haven't received anything (apart from revoo)

I am assuming that they were complex passwords, and could not have been obtained from a hacked e mail account, or obtained through a dictionary style attack.

Few database/CMS systems store passwords in plain text, although the level of protection (from encoding to encryption) may vary. However e-commerce systems usually have strong encryption. That isn't to say it can't happen (twitter for example) just that there may be other explanations. The theft of one account detail is also unlikely - an attack against a password database would result in the leakage of lots of account details.

[Chris P]

We are currently looking into this and will come straight back to you all with a full response..

Best Regards

[Disturbedguy]

My emails forward to gmail which did spot them as spam (i.e. you would have to check your spam folder). I can't tell you any details of the original emails - I've deleted them - but the most recent emails were sent at 6:27 and 6:44 this morning.

I checked my span and my inbox

[naturbo2000]

I am assuming that they were complex passwords, and could not have been obtained from a hacked e mail account, or obtained through a dictionary style attack.

For that I do have to apologise:
One password can be dictionary attacked (I know... Strictly my brother's account... He shouldn't be allowed to use the internet).
The other cannot be dictionary attacked (sufficiently complex combination, not a word or derived from a word), but could be brute-forced due to password length.
I do not believe that the details have been scraped from my email accounts, as I find no such record of the passwords. I will also rule out keylogger or similar attack as I didn't even remember that I had the less secure account!
I would expect that Scan would be able to confirm if dictionary or brute force attacks were made on their systems. If I were the subject of a couple of brute force attacks then I stand corrected and will apologise to Scan right now.

However - given that Scan effectively use multiple passwords (Mother's maiden name plus an additional password), it looks most like something has gotten into their system and scraped the details wrongly. From the way the emails are addressed, it would appear that a scraper assumed the Mother's maiden name to be the password and the additional password to be the customer name!

I'm very surprised to see that I've received an email each to two separate accounts, yet no-one else has the same issue (yet). It is entirely possible that my accounts have been singled out, but I find it hard to believe.

[Dutchjonsey]

Ive not got any, either inbox or spam. Weird if they have gone for just you.

[Moonglum]

I think I have had the same - I use my work email address, so the email has been blocked by the spam filters (so I cannot check all the details in the email). But its the same Subject field as yours, and the email is listed as originating from uol.co.br - came through around 11am today.

[Agent]

Surely Scan would not store passwords in plain text!?

They have done in the past - I don't know if they still do. You can find references to people comparing passwords over the phone to the ones they have on record on Scans side. You can't do that with a hash, as you need the complete password to hash it.

[naturbo2000]

Some news. I've just had a phone call from a Scan company director to discuss the issue.

I don't want to go into too much detail as they are still urgently fact-finding and will post a full response shortly. I don't want to make any false claims but thought it might be useful to give people a heads-up.

It seems the breach was actually back in 2007 and Scan did follow due-diligence to the extent of informing the police of the issue (It would have been nice if they had let customers know as well, but I'll let that slide).
Anyone with an account after 2007 is apparently unaffected (hence why only myself and Moonglum have the emails just now).
Accounts before 2007 may have been compromised (though I'm assured that the nature of the breach means credit card details could not have been compromised, even if they were, I don't have them anymore...).

I'm pleased with the seriousness that Scan are applying to this issue - I believe they are only just now aware that passwords could have been compromised from old accounts. Current encryption policies mean that all data is secure should a breach ever occur in future.

I suggest that once this is cleared up, Scan get in contact with the affected customers to let them know the situation.

(Oh and obviously, I should have changed those passwords somewhere in the last 5 years).

[Disturbedguy]

Some news. I've just had a phone call from a Scan company director to discuss the issue.

I don't want to go into too much detail as they are still urgently fact-finding and will post a full response shortly. I don't want to make any false claims but thought it might be useful to give people a heads-up.

It seems the breach was actually back in 2007 and Scan did follow due-diligence to the extent of informing the police of the issue (It would have been nice if they had let customers know as well, but I'll let that slide).
Anyone with an account after 2007 is apparently unaffected (hence why only myself and Moonglum have the emails just now).
Accounts before 2007 may have been compromised (though I'm assured that the nature of the breach means credit card details could not have been compromised, even if they were, I don't have them anymore...).

I'm pleased with the seriousness that Scan are applying to this issue - I believe they are only just now aware that passwords could have been compromised from old accounts. Current encryption policies mean that all data is secure should a breach ever occur in future.

I suggest that once this is cleared up, Scan get in contact with the affected customers to let them know the situation.

(Oh and obviously, I should have changed those passwords somewhere in the last 5 years).

Naturbo,

Thanks for the heads up, my account is pre 2007 so I am now going to wait and see if I hear anything from SCAN. Good to hear you have been contacted.

[dangel]

Interesting timing given the recent breach of data protection there too. Let's hope the two aren't connected -watching my inbox too.