New York Yankees and DSLReports.com responsible for 30,000 more data loss victims

A season ticket sales representative for the New York Yankees accidentally emailed a spreadsheet to “several hundred” affiliates with the personally identifiable information of over 21,000 Yankees ticket holders.

According to the Yankees, the spreadsheet contained customers’ names, addresses, phone numbers, fax numbers, email addresses and other information like their seat numbers and which ticket packages they purchased.

Later this afternoon DSLReports.com disclosed that they had been the victims of a SQL injection attack that succeeded in stealing usernames and passwords. Justin, the owner of DSLReports, wrote in a forum message that a “sql injection attack by a botnet on Wednesday afternoon obtained a large number of email / password pairs.”

Strangely, Justin stated that he had notified account holders who either created their accounts in the last 12 months, or had logged in over the last 12 months. This seems like a terrible practice. Many users have had accounts for more than 10 years and may not even remember having created one.

To not notify everyone who may have been affected seems to be a lapse in judgement, but it gets worse. All of the passwords in DSLReports’ database were in clear text. No hashing, no salting, totally unencrypted.

Once again we find that if we re-use passwords for seemingly unimportant websites, we may be putting our reputations at risk. You can count on the attackers trying to use these email addresses and passwords on as many popular sites as possible.

They may only use them to spread forum spam, but do you really want your name/profile/identity associated with this kind of activity?

German software major, Ashampoo, suffers attack, user data compromised

German software company Ashampoo has been the target of a latest hacking attempt. Hackers gained access to one of Ashampoo servers. The company discovered the break-in and interrupted it instantly. The security gap through which the hackers gained access was closed immediately. However, hackers did manage to steal personally identifiable information including customer names and e-mail addresses. Billing information (e.g. credit card information or banking information), however, is not affected, because this data is not stored on the company’s system.

According to Rolf Hilchner, CEO Ashampoo, “Like many other companies we are targeted by organizations of hackers that try to break into IT systems in order to steal data. Unfortunately, one of our security systems fell victim to such an attack recently. An unauthorized access to one of our servers took place. However, subsidiary companies of the Ashampoo group are not affected by this incident.”

“Hackers often follow the pattern that they make people insecure e.g. with a confirmation of an order whose attachment is then opened or rather executed. Generally it is always important that you stay suspicious of unknown senders and that you do not respond to requests that tell you to open attachments,” Hilchner said in a note to its customers.

“Please make sure that there always is an anti-virus program installed, whose security signatures are up to date. System checks should be carried out regularly. Furthermore, do never use your access passwords repeatedly (eBay, Amazon etc.) and make your password as complicated as possible, for example by using special characters, numbers as well as uppercase and lowercase. Please change your passwords regularly,” he further suggested.