This article was published on April 4, 2013

Scribd reveals it was hacked this week, informs ‘less than 1%’ of its users their passwords were compromised


Scribd reveals it was hacked this week, informs ‘less than 1%’ of its users their passwords were compromised

Scribd has revealed it was hacked earlier this week, in what it says appears to have been “a deliberate attempt to access the email addresses and passwords of registered Scribd users.” The good news is that the company believes less than 1 percent of its users were potentially compromised in the attack, and it has emailed each and every one of them asking them to reset their password.

Scribd naturally looked into the attack, concluding that only login credentials were targeted:

Our investigation indicates that no content, payment and sales-related data, or other information were accessed or compromised. We believe the information accessed was limited to general user information, which includes usernames, emails, and encrypted passwords.

The company has set up a Web form for users to check if they are amongst those affected. We recommend that regardless of what the Web form says, and even if you don’t use your Scribd account regularly, you should probably change your password. In cases like this, it’s better to be safe than sorry, although it’s great to see that the company says it encrypts its passwords (they are both salted and hashed).

What’s worrying in this particular case is that Scribd announced on Wednesday at 4:09 PM that it was hacked. It’s Thursday now and there is no coverage of the event, with the first blip on our radar being a Hacker News submission from less than an hour ago.

We’re wondering how this could have happened: Scribd is a widely used service and someone should have noticed. It appears that the company made a point not to publicize this particular attack; it did not post an entry on its blog nor did it tweet about the issue, though it did make the announcement on its site.

Nevertheless, Scribd appears to have taken every other proper measure. The company has implemented “numerous additional safeguards,” is conducting a “comprehensive security review,” and will be “implementing more general measures to proactively enhance security.” Last but certainly not least, it has also apologized and notified the relevant authorities.

For reference, here’s the full announcement:

Earlier this week, Scribd’s Operations team discovered and blocked suspicious activity on Scribd’s network that appears to have been a deliberate attempt to access the email addresses and passwords of registered Scribd users.

Because of the way Scribd securely stores passwords, we believe that the passwords of less than 1% of our users were potentially compromised by this attack. We are in the process of emailing every user whose password was potentially compromised with instructions to reset their password.

While we are sending out emails to all affected users as fast as possible, if you are reading this, we recommend you use our web form to check to see if your password was among those affected:

http://www.scribd.com/password/check

Our investigation indicates that no content, payment and sales-related data, or other information were accessed or compromised. We believe the information accessed was limited to general user information, which includes usernames, emails, and encrypted passwords.

Even though this information was accessed, the passwords stored by Scribd are encrypted (in technical terms, they are salted and hashed). Most of our users were therefore unaffected by this; however, our analysis shows that a small percentage may have had their passwords compromised. In an abundance of caution, we are therefore asking those affected users to reset their password and to change their password on any other services they might have used it on.

We take our responsibility to protect our users’ data extremely seriously and constantly improve our security infrastructure and policies. Following this incident, we have implemented numerous additional safeguards. Not only have we taken steps to address the specific issues that led to this incident, but we are also conducting a comprehensive security review and are implementing more general measures to proactively enhance security. We are also alerting relevant authorities to the matter and will co-operate with their investigation.

A number of high-profile websites have been hit in the past year with similar attacks, opening up important questions about password security and the re-use of passwords across services. It is important to remember to never re-use passwords across services and to never use passwords that are dictionary words, names, or other easily-guessable choices.

Finally, we would like to sincerely apologize for our failure to live up to our users’ expectations in this instance. We’re incredibly disappointed that this happened and are committed to doing everything we can to prevent this from happening again. We will work harder than ever to ensure that we deserve the trust that our users place in us.

Thank you for reading and thanks for using Scribd.

The Scribd Team

Top Image Credit: McKenna P

Get the TNW newsletter

Get the most important tech news in your inbox each week.