Everyone,
We've recently received reports of scammers emailing our members with bitcoin extortion attempts. We've identified that hackers were able to download email addresses and encrypted passwords from our database for a number of our users and use that information in these emails.
We believe we have identified the problem and fixed the vulnerability on the site, however we request that you change your password on the site as soon as possible.
Note that no credit card information, premium payment details, or other information is believed to have been exposed through this security incident. Additionally, RadioReference does not and never has stored plain-text passwords anywhere on the site or in the database.
What happened
Hackers exploited an SQL Injection vulnerability on the site to download approximately 25% of our members email addresses and encrypted passwords. The hackers were then able to decrypt some of those passwords. The hackers then emailed some of these members with extortion demands for Bitcoin payment.
Technical Details
A query field on the RadioReference Mobile site m.radioreference.com was not properly sanitizing data (specifically, the ?fid=### field), which allowed hackers to craft a specific query to trick the page into retrieving a user's email address and encrypted password. We believe that about 25% of all our user accounts were affected, based on analysis of our logs.
The vulnerability that was exploited for this incident was fixed during a cursory code review on July 12th 2019. We were not aware at the time that it was being actively exploited.
Passwords were encrypted with the MD5 hashing algorithm and basic salt. The hackers were able to decrypt some of those passwords and then email the users indicating they knew what their passwords were.
Moving Forward
Thank you for your patience and our apologies for the problems.
Lindsay
We've recently received reports of scammers emailing our members with bitcoin extortion attempts. We've identified that hackers were able to download email addresses and encrypted passwords from our database for a number of our users and use that information in these emails.
We believe we have identified the problem and fixed the vulnerability on the site, however we request that you change your password on the site as soon as possible.
Note that no credit card information, premium payment details, or other information is believed to have been exposed through this security incident. Additionally, RadioReference does not and never has stored plain-text passwords anywhere on the site or in the database.
What happened
Hackers exploited an SQL Injection vulnerability on the site to download approximately 25% of our members email addresses and encrypted passwords. The hackers were then able to decrypt some of those passwords. The hackers then emailed some of these members with extortion demands for Bitcoin payment.
Technical Details
A query field on the RadioReference Mobile site m.radioreference.com was not properly sanitizing data (specifically, the ?fid=### field), which allowed hackers to craft a specific query to trick the page into retrieving a user's email address and encrypted password. We believe that about 25% of all our user accounts were affected, based on analysis of our logs.
The vulnerability that was exploited for this incident was fixed during a cursory code review on July 12th 2019. We were not aware at the time that it was being actively exploited.
Passwords were encrypted with the MD5 hashing algorithm and basic salt. The hackers were able to decrypt some of those passwords and then email the users indicating they knew what their passwords were.
Moving Forward
- All users should immediately change their password to upgrade the security on their stored password
- The site has been upgraded to use an extremely strong password hashing mechanism based on bcrypt, which greatly reduces the ability to decrypt a user password.
- We are continuing code reviews and firewall configurations to prevent this from occurring again
- We will soon expire and reset all user's passwords who have not changed and updated their password to use the new hashed method
Thank you for your patience and our apologies for the problems.
Lindsay