Mary tut-tuts at Tuts+ Hacking
Tuts+ was hacked this week. Basically, the hacker/s gained access to the Tuts+ database and were able to steal members’ email addresses and unencrypted passwords.
What makes the Tuts+ news very disappointing is not that they were hacked, but that they stored unencrypted (read: plain text) passwords in their database. That’s like locking your car but leaving the windows open in Quiapo or hanging out at Starbucks without lording it on Facebook. Read: there’s no effing point.
The Tuts network is famous for producing top-notch, high-quality tutorials on design and programming, among other things. And hearing this happen to them is like finding out that the guy who got his car stolen in Quiapo was the same guy who wrote an article on How To Secure Your Car Against Carnappers… makes you want to check your car every ten seconds, huh?
But the non-encryption was done by a third-party plugin!
Yes, you’re right. I won’t blame Tuts+ for using a third-party plugin to manage its membership. But I AM blaming them for taking this long to fix the security issue.
What, do you think they installed that plugin and didn’t immediately notice that the password field was unencrypted?
Now, I’m not the database guru at CRS but I still saw a lot of database action.
(So much, in fact, that I wouldn’t even bat an eyelash if a database went naked and danced the conga in front of me.)
For someone not to notice the unencryption problem right away was almost impossible. But for someone to notice THEN not make correction an immediate priority? That’s downright irresponsible. And for that, I give them ten tut-tuts.
(Plus points for transparency, though. If the comments were any indication, an honest and contrite management does make up a lot for lapses in technical judgement.)