/ SECURITY WATCH

Off to the Races

Popular articles

31 / 01 / 2017

Off to the Races

The online security of over 200,000 Indycar racing fans was put in jeopardy recently. Earlier this month I discovered a large collection of publicly exposed MySQL database backup files at an IP resolving to ims-mysql.indycar.com.

The majority of these backups appear to be merely operational, but what stands out are the Indycar employee login credentials as well as the 200k user accounts containing such fields as email, physical address, first and last name, password hash, username, security question and answer, date of birth, and gender. Which essentially makes the find an identity theft treasure trove.

It’s important to point out that the Indycar bulletin board these accounts come from has since been retired. So, there is no need to change your Indycar forum login password. However, if you’re the type of person that reuses passwords (and it’s a shame that most people are), then you should reset any accounts that might be using the same password. If malicious folks came across this data set, they could be deciphering those passwords and attempting to use them on your other online accounts right now.

That leads me to something I’ve wondered for a while now- Why do companies hold on to password hashes long after the associated site has been shuttered? That’s nothing but liability. They are putting customers at risk for no gain. There was absolutely nothing for Indycar to gain by holding on to these password hashes. And now they are faced with negative PR as word of the situation gets out to racing fans.

I can only assume the attorneys and risk-management folks working for Indycar were unaware that defunct forum logins were being stored. Taking big risks, with zero chance of reward, is not how those types of people keep their jobs. If you’re reading this, and you manage risk at a large company, you should really ask your IT staff two important questions:

1) What are we storing?

2) Do we really need it?

The MacKeeper Security Research Team regularly uncovers breaches containing unnecessary, sensitive data that really didn’t need to be there in the first place. And if the liability concerns aren’t enough to sway you, just think about it as a cost-saving measure. Storage isn’t cheap.

As we draw an end to this month I’ll leave you with a sneak-peak of an upcoming announcement: There’s a new 1+ billion leak on the horizon. 1,404,749,583 to be exact. That’s not a typo.

***
Attention - Portions of this article may be used for publication if properly referenced and credit is given to MacKeeper Security Researcher, Chris Vickery. 
Do you have security tips or suggestions? Contact: cvickery@kromtech.com or security@kromtech.com
Stay tuned to the latest security news by visiting MacKeeper Security Watch blog with Chris Vickery.