Crystal Web Hack, Resolution and Consequence

[JohnDoer]

Wait, you expect them to send you the hash?
Generate password. Send to user. Hash. Store in DB.

No, i expect them to allow me to enter in a password on their website which will get hashed, salted and stored in their DB.

 

[MickeyD]

Nowhere in their communications to me do they mention that i should change my password if that password is used on other online accounts.

My question is what would be the consequences to me if i were to email everyone on that list with their password and ask them to remove that password from any online account they own?

Send your query to [email protected]

 

[Sinbad]

No, i expect them to allow me to enter in a password on their website which will get hashed, salted and stored in their DB.

Once the portal is up, I'm sure this will be possible?

 

[Necropolis]

No, i expect them to allow me to enter in a password on their website which will get hashed, salted and stored in their DB.

But when they auto generate a password for you (no, not just you, everyone of their customers) - how would you like them to get it to you so you can update your dsl config accordingly?

 

[JohnDoer]

But when they auto generate a password for you (no, not just you, everyone of their customers) - how would you like them to get it to you so you can update your dsl config accordingly?

Like Sinbad mentioned an Online Portal would be the best way.

In terms of legality, i'm sure they have covered themselves legally, and are perhaps not obligated to warn their customers of the risks, but are we just meant to shrug our shoulders saying we can't do anything knowing that there are hundreds of open accounts on that list?

 

[m0zy]

Another IP address to forward to the Hawks...

That must be a long list by now

 

[Vrotappel]

I know there have been many of these threads on here, complaining about the hack, but has anything actually been done?
Is there anything that can actually be done apart from just finding another ISP?

I understand that IndigoVision is the one responsible for the breach, but i feel Crystal Web has not communicated how serious the hack actually was. In the list i'm looking at there are over 5000 Name, Email and Password combinations. Most of the passwords were auto-generated and therefore unique to Crystal web, but there are many passwords which are set by the user and could be shared with other accounts online (yes this is not the best personal security practice but not everyone is tech savvy.)

I believe Crystal Web has lied to their customers by saying no sensitive information has been leaked and they should inform all their customers who had custom set passwords to make sure that no other accounts online use the same email and password combination. I searched the list for my friends and saw their password which I know they use to log into their main email accounts. (and as most of you know if someone gains access to someone’s main email account they can then possible get banking details or other sensitive account details.)

further to this, why after being hacked and promising to focus on security do they then send my password as plain-text to my email address? How can they be hashing the password correctly if it is available in plain-text to send to me?

I am tempted to email everyone on the list and inform them to change their password.

What else can be done?

I am a CW user and was informed by them of both breaches and advised to change my password. No biggie.

Sharing passwords across websites is not very clever.

 

[Icemanbrfc]

What did you want?

Here is your new password: ************

Maybe a better font?

 

[sreddi]

Wait, you expect them to send you the hash?

ok then Good luck using it ...




Generate password. Send to user. Hash. Store in DB.

I would have expected them to send me the password via an encrypted pdf file. Same as some companies send their statements encrypted with the individuals account number not plain text.Or amend their system to allow users to change their own password.
This is the second occassion where they have requested I change the router password after an Hack.

 

[DA-LION-619]

Once the portal is up, I'm sure this will be possible?

We can keep saying someone is trying to attack CW's reputation but to be honest they're doing a good job of this themselves.

 

[crackersa]

So i acknowledged the fault was with IndigoVision, and not Crystal Web. I haven't blamed Crystal Web for the hack, i'm just saying they need to be more transparent about the hack. If people still have sensitive password and email combinations online, is stirring the pot such a bad thing?

Edit: Also reason for new account was because i'm actually considering emailing all those addresses with the password they have their and asking them to make sure they dont use that password for any other online accounts. (And not sure of the legal ramifications of such an action)

Well if you email me I will be annoyed as you are using my details without my permission.