Racing Post Breached; Users' Passwords Stolen

Racing Post Breached; Users' Passwords Stolen
Racing Post Breached; Users' Passwords Stolen

The announcement stresses that no financial details have been lost. "Customer credit and debit card details are not stored on the site and have therefore not been accessed and are not at risk."

It also says that passwords were encrypted. Breach announcements are increasingly describing their password security as 'encryption'. Passwords should be hashed (irreversible) rather than encrypted (reversible). When Adobe announced that its compromised user passwords were 'encrypted', many commentators assumed it was a slip of the tongue, and that the company meant hashed. It turned out that they were indeed encrypted, and Adobe has been roundly criticized since.

In this instance, however, we can be fairly confident that Racing Post means 'hashed.' The company advises customers to change passwords on other sites "if it is the same one that they use for racingpost.com." It then adds, "Customers who are unsure of their password should be aware these are encrypted and we are therefore unable to tell them what the password is;" that is, the security is irreversible. If in doubt, it says, change other passwords anyway, "as we cannot be confident that the hackers will be unable to break the encryption."

The advice is good, but would be even better if it was accompanied by more detailed information. "Our site was the subject of a sophisticated, sustained and aggressive attack on Friday and Saturday, in which one of our databases was accessed and customer details were stolen," it explains. But that's the limit of the explanation. It implies, but does not specify, that the website breach happened within the last few days. It implies, but does not specify, that the attackers can only have had the passwords for a couple of days.

If this is true, then the speed of the company's public notification is commendable – if gives affected users as much time as possible to change other passwords before the Racing Post ones are cracked. But Racing Post has been very economical with its information – it gives no information on how many users have been affected; and more to the point does not say which hash algorithm was used, nor whether they were salted. 

If a weak hash with no salt was used, then users should assume that they will be cracked by the hackers in very short time.

At the time of writing this report the Racing Post website appears to be having problems. A call to customer support 'could not be answered at this time.' There is no indication whether this has any relevance to the breach or not. The Racing Post statement, however, is available on the DataBreaches website.

What’s Hot on Infosecurity Magazine?