NASDAQ Community Website Hacked and Down

Few details are provided in the email. The breach was discovered through "standard security monitoring." The issue was identified and, says the email, "we are in the process of upgrading and restoring the community." It stresses that the breach did not affect NASDAQ's trading or commerce platforms.

But, it warns, "we regret that some of your account information – username, email address and password – may have been affected." It goes on to add that existing passwords have been 'expired' by the admins, and that users will need to create new ones.

Whenever an organization provides only limited information about a breach, security experts and commentators are tempted to fill in the gaps. Graham Cluley surmises that "the servers running the NASDAQ community messageboard software had not been properly configured or not kept updated against vulnerabilities, and this allowed hackers an open window to access sensitive information." More worryingly, he adds, "there is no mention of passwords being securely encrypted suggesting that the site could have been storing users’ passwords in an insecure fashion up until now."

Yahoo's finance blog, The Exchange, suggests that the attack is a fairly typical attack against a seemingly low-value target, and was designed simply to steal the password list. "Such lists can be compiled into software that speeds up the process of breaking into more secure sites that may contain valuable information."

But talking to V3, F-Secure analyst Sean Sullivan warns that it all depends on how forthcoming the NASDAQ community admins have been. What, he asks, if the breach hadn't been to steal the passwords, but primarily to compromise the site and use it as a water hole attack.

Context Information Security recently highlighted that water hole attacks are increasingly replacing spear-phishing as the weapon of choice. "You thought the Twitter, Facebook, Apple, Microsoft watering hole attack compromises via the iPhone Dev SDK forum was bad? Well," says Sullivan, "I think that would be nothing compared to the kind of damage that could be done via NASDAQ."

NASDAQ Community Website Hacked and Down

You may also like

Monster slain by hackers

42 Million Passwords Compromised as Hackers Aim at Cupid Online Dating

Drupal hit by massive data breach

Massive Data Breach Hits Millions of Vodafone Germany Customers

Someone’s got to pay

What’s hot on Infosecurity Magazine?

Alarming Decline in Cybersecurity Job Postings in the US

Quishing Attacks Jump Tenfold, Attachment Payloads Halve

Akira Ransomware Group Rakes in $42m, 250 Organizations Impacted

North Korean Group Kimsuky Exploits DMARC and Web Beacons

New Cyber-Threat MadMxShell Exploits Typosquatting and Google Ads

Russia's Sandworm Upgraded to APT44 by Google's Mandiant

Cybersecurity Pros Urge US Congress to Help NIST Restore NVD Operation

North Korean Group Kimsuky Exploits DMARC and Web Beacons

Report Suggests 93% of Breaches Lead to Downtime and Data Loss

US Government and OpenSSF Partner on New SBOM Management Tool

Russia and Ukraine Top Inaugural World Cybercrime Index

FBI Warns of Massive Toll Services Smishing Scam

Incident Response: Four Key Cybersecurity Measures to Protect Your Business

Is MFA Enough? Strategies for Next-Level Identity Security in 2024

Disinformation Defense: Protecting Businesses from the New Wave of AI-Powered Cyber Threats

Navigating the Evolving Cybersecurity Compliance Landscape in 2024

Adapting to Tomorrow's Threat Landscape: AI's Role in Cybersecurity and Security Operations in 2024

Untangling the Web: Navigating Third-Party Risk in a Hyperconnected World

Infosecurity Magazine Spring Online Summit 2024: Day One

Infosecurity Magazine Spring Online Summit 2024: Day Two

Russia’s Midnight Blizzard Accesses Microsoft Source Code

I-Soon GitHub Leak: What Cyber Experts Learned About Chinese Cyber Espionage

LockBit Takedown: What You Need to Know about Operation Cronos

Women in Cybersecurity at Infosecurity Europe 2024