User of the popular ComiXology online comics platform have been urged by company officials to change their passwords after they disclosed an intrusion event that resulted in the exposure of account information, including hashes used in encrypting passwords for the site.
Thus far, it appears that no payment information was compromised in the breach, but often it takes days or weeks for investigators to determine the full extent of a data loss event, as we have seen in the recent Target and related breaches.
The company issued the following email notification, as reported by BleedingCool.com, which includes a cautionary note about the potential for users whose information was compromised to be the targets of phishing campaigns:
Dear Comics Reader,
In the course of a recent review and upgrade of our security infrastructure, we determined that an unauthorized individual accessed a database of ours that contained usernames, email addresses, and cryptographically protected passwords.
Payment account information is not stored on our servers.
Even though we store our passwords in protected form, as a precautionary measure we are requiring all users to change their passwords on the comiXology platform and recommend that you promptly change your password on any other website where you use the same or a similar password. You can reset your comiXology.com password here.
We have taken additional steps to strengthen our security procedures and systems, and we will continue to implement improvements on an ongoing basis.
Please note that we will never ask you for personal or account information in an e-mail, so exercise caution if you receive emails that ask for personal information or direct you to a site where you are asked to provide personal information.
We apologize for the inconvenience. If you have any questions, please contact us by sending an email to firstname.lastname@example.org
The acknowledgement that passwords were being protected by advanced a cryptographic hash value is encouraging, as breaches in recent years have demonstrated that many companies merely store passwords in plain text, or with weak non-hashed encryption.
Read More Here…