Another day, yet another online company has reported its systems have been compromised leading to customer information being tapped.
Though it says it wasn’t “legally obligated” to do so, in an email to members yesterday, online reputation-management company Reputation.com informed members that it had suffered an external attack on its network, leading to some names, email and physical addresses, phone numbers, dates of birth, and occupational information being leaked.
It also adds that a list of “highly encrypted” user passwords for a “small minority” of users was accessed. It does stress, however, that given the passwords were “salted” and “hashed”, it’s not likely these could ever be decrypted – but it has changed the password for every user as a precaution.
Reputation.com is an online reputation management company that helps to suppress negative content in search results. It has somewhere in the region of one million users globally.
Reputation.com is one of many online companies to have reported hacks in recent times – LinkedIn, Last.fm, Evernote, Scribd, Yahoo and, just last week, LivingSocial have all suffered attacks in the past year.
While any kind of security compromise is clearly not a good thing, Reputation.com has done all it can retrospectively do on this occasion. It’s also offering free credit monitoring for a year to those affected.
The full message to members can be read below:
“April 30, 2013
Dear [Name Redacted]:
We are reaching out to let you know that Reputation.com recently identified, interrupted and swiftly shut down an external attack on our secure network. Our network security personnel detected this breach shortly after it began, and took immediate steps to stop the attack before it could be completed.
At Reputation.com, transparency and openness are part of our culture. That’s why, although the extent of the breach and the limited kind of information accessed during this attack did not legally obligate us to provide notice to our users, we nevertheless felt it was important to let you know that this event occurred.
It appears that of all the locations in the world where our affected users reside, only the jurisdiction of North Dakota requires us to disclose information about this incident to its residents. However, out of an abundance of caution and due to our strong interest in transparency, we are notifying affected users, regardless of location.
Following the attack, our engineering and security team immediately conducted an exhaustive investigation, working closely with independent security experts to determine what information may have been accessed. We are also implementing additional security measures, beyond the high level of security that is already in place, to ensure your continued protection.
To give you some assurance, we want to be clear what was NOT accessed:
Financial information, such as credit card numbers or bank account information – which we do not store on our systems
Social Security Numbers and drivers license numbers, which we do not ask for or require our users to provide (so you likely did not volunteer this information)
Your account details, including why you retained our services
Communication between you and our team
Any details about the services we provided to you
The personal information that was accessed included:
Email and physical addresses
In some instances, phone numbers, dates of birth, and occupational information
Additionally, a list of highly encrypted (“salted” and “hashed”) user passwords for a small minority of our users was accessed. Although it was highly unlikely that these passwords could ever be decrypted, we immediately changed the password of every user to prevent any possible unauthorized account access.
Based on the type of information accessed, we do not believe it’s likely that you will experience any future issues as a result of this incident. However, out of an abundance of caution, we are offering free credit monitoring for a year to those affected clients who request it within the next 30 days.
Security and your privacy remain our absolute first priority. Please do not reply to this email. We have established a confidential assistance line; if you have additional questions, or to receive instructions on how to register for the one (1) free year of credit monitoring, professionals will be at your disposal, Monday through Friday, 8:00 a.m. E.S.T. to 8:00 p.m. E.S.T., at (866) 597-8199. For identification purposes, please provide reference number 7373043013 when calling.
The Reputation.com Team”