Well, I posted this to DataLossDB.org the other day, but seem to have forgotten to have posted it here.
Globe and Mail, the Canadian newspaper, had their online classroom site hacked (http://globeclassroom.ca). The hack was disclosed on Pastebin on November 22, at which time I created an entry for it on DLDB. I then tried to notify Globe and Mail’s online classroom site that over 600 users’ names, e-mail addresses, clear-text passwords, job title, school, and school contact details had been acquired and dumped on the Internet. They did not respond to my courtesy notification, but one paste was removed. Another one, that I had missed, remained.
The removal triggered a response by a hacker, who re-posted the original paste and then pointed me to the the second data dump. I dutifully updated the entry on DLDB.
But now, digging into things a bit more, I see that this same site had been hacked back in July by a hacker who identified himself as part of #AntiSec:
Hi! I’m sepo. For today my target was http://globeclassroom.ca/. It was hacked by a simple SQL Injection. All the data (login email, password, first & second name, adress, school etc.) is dumped to one of my virtual server’s. I was thinking about a deface, but this wasn’t a good idea. Your sec sux! Your data can be stolen! This is a part of #Antisec.
The database reportedly held 4,000 users’ data.
So the site was hacked back in July and again in November. Does Globe and Mail even know? How many hackers have to point out to them that their site is insecure before they get the message? And how would all these users feel if they knew that their passwords were out there with their e-mail addresses?
Hacks like this one have become a common occurrence this year, and it is disturbing that so many sites that have been hacked do not seem to know it and do not check all their e-mail when people do try to notify them.
Maybe if I tweet it?