This article is more than 1 year old
SitePoint hacked: Hashed, salted passwords pinched from web dev learning site via GitHub tool pwnage
If you started off there, best change your reused credentials
SitePoint, an Australian learn-to-code publishing website, has been compromised while promoting the book Hacking for Dummies on its homepage.
Reg reader Andy told us: "Got an email from SitePoint this morning saying that they had been hacked and some non-important (to them) stuff like names, email addresses, hashed passwords etc might have been stolen. Coincided with a big increase in spam that I've been getting but that's probably coincidence."
An email sent to SitePoint users and seen by The Register confirmed the hack, though at the time of writing, the company has not published anything about it on its website or social media accounts.
It blamed an unnamed "third party tool we used to monitor our GitHub account, which was compromised by malicious parties."
The email sent to users said, in part:
We have recently confirmed that SitePoint's infrastructure was breached by a third party and some non-sensitive customer data was accessed as part of this attack.
As a precautionary measure, while we continue to investigate, we have reset passwords on all accounts and increased our required length to 10 characters. Next time you login to SitePoint you will need to create a new password.
It went on to say that no credit card data had been accessed and that stored passwords were hashed and salted. Relevant API keys have also been rotated and passwords changed.
Rather embarrassingly, the hack coincided with the prominent promotion on SitePoint's homepage of one very relevant book.
Meanwhile, irritated SitePoint users got on their forums to start complaining about the hack.
"I'm using a unique email address for Sitepoint and today I received a SPAM mail on this unique address," posted one, a message echoed over on Twitter:
The value proposition of sub-addressing in practice https://t.co/VY5Hoe8YjO
— Troy Hunt (@troyhunt) February 4, 2021
SitePoint has been around almost as long as El Reg, having been founded in the late '90s and evolving into a paid resource for people wanting to learn the basics of web development. The firm is based in Melbourne, Australia, which was in the wee hours of Saturday morning at the time of publication. Nonetheless, we have asked the firm for comment.
Given its longevity, it seems likely that many Reg readers might have accounts there – inactive or not. The standard advice applies: if you've reused your SitePoint password for something more valuable, change both passwords.
From the details given, it appears that this is another supply chain attack. Rather than directly targeting systems storing valuable data, criminals bent on accessing these are instead targeting other systems operated by the same organisation. Once inside those, they can then move laterally around the target org's network and effectively sneak behind defences intended to stop them. ®
Biting the hand that feeds IT
