I’ve banged on before about the need for web sites to store passwords encrypted. This is a good example of why it’s necessary.
Fasthosts, “the UK’s number 1 web host”, has fired off emergency emails telling customers to change all their passwords after police were called in to investigate a major data breach.
Also note:
We’ve asked Fasthosts why the passwords were not encrypted in the first place. It said: “Historically, Internet companies have rarely encrypted passwords to aid customer service.”
Hmm…. “aid customer service”? Not sure that rings true. Particularly when someone breaks into your systems and gains access to your customer database. If the passwords were encrypted then they would still be secret.
Of course, there are many other good reasons for not using Fasthosts.
If I had any sites hosted with them, I’d be moving them away very quickly right now.
Update: From the Register’s discussion on this story:
Any developer worth his salt wouldn’t make such a hash of this.
Nice bit of geek humour.
Fasthosts have never had a good reputation for security. Several years ago they “accidentally” disabled their own security and allowed customers to see other customers credit card details. The staff aren’t particularly impressed, and often jump ship to a notable global IT security company (also based in Gloucester) rather quickly. Some of my colleagues have some interesting stories to tell :)