LulzSec Hacker Victims Alerted

Literary website Writerspace.com has admitted that almost a quarter of the 62,000 e-mail logins published after an attack by LulzSec came from its user database.

In a warning note on the site's homepage, Writerspace said that that 12,000 of the leaked e-mail logins were from its members and said it was in the process of contacting the individuals concerned.

"We want to assure our readers that we take our responsibility for protecting your personal information very seriously. Unfortunately, there are people who make it their mission to find and exploit any vulnerability no matter how secure the system," read the note.

The site also mentions that LulzSec has recently hacked the CIA website and U.S. Senate, glossing over the fact that neither of these hacks involved the loss of thousands of e-mail addresses and passwords.

Writerspace then advises users to "make sure the passwords for all of your online accounts adhere to industry security standards," again sidestepping the possible weaknesses of any login system that re-uses e-mail addresses as user names, or simply stores e-mail addresses and passwords together for recovery purposes.

It is not clear that writerspace used e-mail addresses for logging in but sites that do run the risk that users will re-purpose the same logins over and over for multiple sites. This gives anyone hacking one database a way of launching speculative attacks against others using the same information. LulzSec itself makes this weakness part of the point of its attack, encouraging sympathizers to try the logins across different sites.

Better advice would be that anyone whose login was published as part of the leak should change logins on any other sites that might use the same e-mail address as authentication.

"Security techs are scouring the site now," said Writerspace in a tweet. "There's no indication that the site itself has been hacked but we'll post info asap."

Subscribe to the Security Watch Newsletter

Comments