Now, some 24 hours later, user login to the site is still disabled. So far Forbes has not announced any details about the attack other than a tweet and a Facebook update (oddly there's no announcement at all on the Forbes Web site) while the blog rec/ode reported that a Forbes spokeswoman confirmed the attack:
Forbes.com's publishing platform was compromised. We've been making adjustments to the site to protect online privacy and the editorial integrity of our content. We are looking into and monitoring the situation closely. We're taking this matter very seriously
Interestingly The Syrian Electronic Army rather mysteriously tweeted:
@Forbes can thank @TheAlexKnapp for this hack. #SEA
Alex Knapp is Forbes' social media editor and how he or his account might have been the entry point has yet to be revealed. It's worth noting that Forbes' CMS is Wordpress which is well known for weak security unless it has been upgraded. According to another re/code post the stolen data:
... contains the names and known email addresses of several current and former employees at Forbes. But the passwords are displayed as hashes, which is a term of art meaning that the passwords aren’t shown in plaintext. For example the word “passwords” might be recorded in the database as “$P$98tqH9rq4bGEc1E6oThXjM3J.5xU3t.” However they could potentially be recovered by someone who understands the nuances of password hashing.
I was once a contributor to Forbes and still have a user account on the site so how did I find out about the attack? This morning a friend of mine on an email list posted a message he'd just received from a service I hadn't heard of:
Subject: You're one of 1,057,819 people pwned in the Forbes data breach
Date: 15 Feb 2014 12:44:33 +0000
From: Have I been pwned? <email@example.com>
You signed up for notifications when your account was pwned in a data breach and unfortunately, it's happened.
You're one of 1,057,819 people who've had an account compromised in the *Forbes* hack of Feb 2014, the details of which you can read about here <https://haveibeenpwned.com/PwnedWebsites#Forbes>.
You can also run a search for breaches of your email address <https://firstname.lastname@example.org> again at any time to get a complete list of sites where your account has been compromised.
As with any data breach, the usual advice applies: go to the impacted site and reset your password immediately plus, of course, ensure that you're not reusing that password on any other sites.
Of course I immediately checked my email accounts on haveibeenpwned.com and discovered that only my main email address was in compromised in both the Forbes breach and the October 2013 Adobe breach and I would advise you to do the same, right now.
haveibeenpwned.com only has data on 13 large breaches in which the attackers publicly published the purloined credentials. While that may not sound like much the total number of "pwned" accounts they have in their database is 161,506,386! The breakdown is:
- 152,445,165 Adobe accounts
- 4,609,615 Snapchat accounts
- 1,247,574 Gawker accounts
- 1,057,819 Forbes accounts
- 859,777 Stratfor accounts
- 530,270 Battlefield Heroes accounts
- 453,427 Yahoo accounts
- 148,366 WPT Amateur Poker League accounts
- 56,021 Vodafone accounts
- 38,108 Pixel Federation accounts
- 37,103 Sony accounts
- 20,902 Bell accounts
- 2,239 Tesco accounts
So, what are you waiting for go check if your accounts have been pwned!
[Thanks to Greg.]