Crystal Web Hack, Resolution and Consequence

J

JohnDoer

New Member
Joined
Oct 10, 2016
Messages
8
Reaction score
0
I know there have been many of these threads on here, complaining about the hack, but has anything actually been done?
Is there anything that can actually be done apart from just finding another ISP?

I understand that IndigoVision is the one responsible for the breach, but i feel Crystal Web has not communicated how serious the hack actually was. In the list i'm looking at there are over 5000 Name, Email and Password combinations. Most of the passwords were auto-generated and therefore unique to Crystal web, but there are many passwords which are set by the user and could be shared with other accounts online (yes this is not the best personal security practice but not everyone is tech savvy.)

I believe Crystal Web has lied to their customers by saying no sensitive information has been leaked and they should inform all their customers who had custom set passwords to make sure that no other accounts online use the same email and password combination. I searched the list for my friends and saw their password which I know they use to log into their main email accounts. (and as most of you know if someone gains access to someone’s main email account they can then possible get banking details or other sensitive account details.)

further to this, why after being hacked and promising to focus on security do they then send my password as plain-text to my email address? How can they be hashing the password correctly if it is available in plain-text to send to me?

I am tempted to email everyone on the list and inform them to change their password.

What else can be done?
 
Mail the list to a Security Researcher Troy Hunt who runs haveibeenpwned.com.
He deals with breaches
 
JohnDoer said:
I know there have been many of these threads on here, complaining about the hack, but has anything actually been done?
Is there anything that can actually be done apart from just finding another ISP?

I understand that IndigoVision is the one responsible for the breach, but i feel Crystal Web has not communicated how serious the hack actually was. In the list i'm looking at there are over 5000 Name, Email and Password combinations. Most of the passwords were auto-generated and therefore unique to Crystal web, but there are many passwords which are set by the user and could be shared with other accounts online (yes this is not the best personal security practice but not everyone is tech savvy.)

I believe Crystal Web has lied to their customers by saying no sensitive information has been leaked and they should inform all their customers who had custom set passwords to make sure that no other accounts online use the same email and password combination. I searched the list for my friends and saw their password which I know they use to log into their main email accounts. (and as most of you know if someone gains access to someone’s main email account they can then possible get banking details or other sensitive account details.)

further to this, why after being hacked and promising to focus on security do they then send my password as plain-text to my email address? How can they be hashing the password correctly if it is available in plain-text to send to me?

I am tempted to email everyone on the list and inform them to change their password.

What else can be done?
Click to expand...

Everyone on the list WAS informed by CW when it happened as far as I know. It was also submitted to haveibeenpwned.

What's your dog in this fight?
 
Why create a new alias to make this thread? You clearly read and post under a diff name, this much is obvious based on your opening post.

Surely all the relevant info can be gained from the main thread, is this to maybe stir the pot a bit?
 
Surv0 said:
Why create a new alias to make this thread? You clearly read and post under a diff name, this much is obvious based on your opening post.

Surely all the relevant info can be gained from the main thread, is this to maybe stir the pot a bit?
Click to expand...

Hence my question.

There seems to be a coordinated effort to target CW's reputation...
 
Surv0 said:
Why create a new alias to make this thread? You clearly read and post under a diff name, this much is obvious based on your opening post.

Surely all the relevant info can be gained from the main thread, is this to maybe stir the pot a bit?
Click to expand...

Does it matter?
 
haveibeenpwned is actually where i found out about it.

And as to why i'm doing this, i'm concerned about people's online security and transparency of the extent of the hack. The fact that many of my friends didn't know their passwords were released with their names and email address shows they haven't been correctly notified.

Also i'm a huge fan of Crystal web, been using them for over a year and i recommend using them to everyone i speak to about ISPs.

I also can't understand how in the year 2016 they aren't hashing passwords or ensuring that their security provider hashes.
 
Surv0 said:
Yes, because clearly somebody isnt getting the attention they want, so now resort to creating a new alias and creating a new thread when this was discussed ad nauseam elsewhere.
Click to expand...

So i acknowledged the fault was with IndigoVision, and not Crystal Web. I haven't blamed Crystal Web for the hack, i'm just saying they need to be more transparent about the hack. If people still have sensitive password and email combinations online, is stirring the pot such a bad thing?

Edit: Also reason for new account was because i'm actually considering emailing all those addresses with the password they have their and asking them to make sure they dont use that password for any other online accounts. (And not sure of the legal ramifications of such an action)
 
Last edited:
JohnDoer said:
haveibeenpwned
I also can't understand how in the year 2016 they aren't hashing passwords or ensuring that their security provider hashes.
Click to expand...

Because they stupidly enough trusted a 3rd party to manage this and was let down.

They confirmed their debit order details were stored on a 3rd party system, which I believe as Ive had to have details changed before. Ive also seen nothing to hint at there being a breech in this data security.

So that leaves what, the username and password. Yes this can be damaging to people who have asked for a custom password made up of one of their more regular passwords (internet banking etc etc) but I think this would be a small portion and the end result that their internet banking is now compromised is highly unlikely.

If data is stolen, this is tracked easily enough to be corrected. Stealing of DSL username and passwords is nothing new at all. Not sure if you were aware of the theft that occured when Telkom first deployed ADSL with default routers and customers who couldnt change the passwords. lets just say a port scan and some default password combinations got you that ADSL username and password stored in the routers. This was an absolute disaster for users as their data was ACTUALLY stolen. I havent found one instance of anything being stolen, other than the fact that this information was sent out.

Im confident they patched the whole in their system, and are being extra cautious going forward. Good companies can make mistakes, accidents happen, especially if seemingly targetted. The substance is in how the company deals with that, and moves forward. CW is doing a fine job.

So although my details were emailed out, ive yet to actually be effected by this.
 
JohnDoer said:
So i acknowledged the fault was with IndigoVision, and not Crystal Web. I haven't blamed Crystal Web for the hack, i'm just saying they need to be more transparent about the hack. If people still have sensitive password and email combinations online, is stirring the pot such a bad thing?
Click to expand...

but why create a new profile and thread for this? The manner in which you did it raised my eyebrow, wasnt the only one.

Rather dont change your password, just leave it as default. Ideally you only need to change this if you want it to be changed, or if the ISP changes it, or if your router dies. Either way, ISP should give it to you, no need to remember it.

Just one password one doesnt need to try remember in my opinion. But yes, this doesnt condone sending out details in either way.
 
Surv0 said:
Im confident they patched the whole in their system, and are being extra cautious going forward. Good companies can make mistakes, accidents happen, especially if seemingly targetted. The substance is in how the company deals with that, and moves forward. CW is doing a fine job.
Click to expand...

So like i said in my original post, the problem is they dont seem to have patched the hole in their system because how could they have hashed the new passwords if they are sending them out to their customers in plain-text?
 
JohnDoer said:
So like i said in my original post, the problem is they dont seem to have patched the hole in their system because how could they have hashed the new passwords if they are sending them out to their customers in plain-text?
Click to expand...

How do you know they're sending passwords out to customers in plain text?
 
He mentioned he is a CW customer.

JohnDoer said:
haveibeenpwned is actually where i found out about it.

And as to why i'm doing this, i'm concerned about people's online security and transparency of the extent of the hack. The fact that many of my friends didn't know their passwords were released with their names and email address shows they haven't been correctly notified.

Also i'm a huge fan of Crystal web, been using them for over a year and i recommend using them to everyone i speak to about ISPs.

I also can't understand how in the year 2016 they aren't hashing passwords or ensuring that their security provider hashes.
Click to expand...

Sinbad said:
How do you know they're sending passwords out to customers in plain text?
Click to expand...
 
Surv0 said:
Yes, because clearly somebody isnt getting the attention they want, so now resort to creating a new alias and creating a new thread when this was discussed ad nauseam elsewhere.
Click to expand...

Iirc I also received detailed communication from CW that time. Only after I read about it on Mybb.
They couldn't have done anything more than what they have imho
 
JohnDoer said:
like i said earlier i am a customer of Crystal Web, and i got sent my new password, in plain-text...
Click to expand...

Wait, you expect them to send you the hash?

ok then :p Good luck using it ...




Generate password. Send to user. Hash. Store in DB.
 
DWAAS said:
Iirc I also received detailed communication from CW that time. Only after I read about it on Mybb.
They couldn't have done anything more than what they have imho
Click to expand...

Nowhere in their communications to me do they mention that i should change my password if that password is used on other online accounts.

My question is what would be the consequences to me if i were to email everyone on that list with their password and ask them to remove that password from any online account they own?
 
JohnDoer said:
Nowhere in their communications to me do they mention that i should change my password if that password is used on other online accounts.

My question is what would be the consequences to me if i were to email everyone on that list with their password and ask them to remove that password from any online account they own?
Click to expand...

Prosecution under the ECT act - unlawfully accessing information you are not entitled to access - sending of unsolicited email... the list goes on.
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X