dslreports logo
site
spacer

spacer
 
   
spc
story category
Time Warner Cable 'Safe Storage' Service Hacked
Subscriber Addresses, Passwords Compromised
by Karl Bode 12:38PM Friday Aug 17 2012
An e-mail being sent to Time Warner Cable customers informs them that the company's Road Runner Safe Storage service may not be quite so safe. According to the e-mail, one of the service's databases was hacked into recently, giving an unidentified intruder access to numerous user account credentials including user names, e-mail addresses, user ID and passwords, and "possibly your billing address" if you had acquired additional storage at any point. The company insists that no credit card data or stored content was accessed during the hack.

Click for full size
Time Warner Cable's Road Runner Safe Storage is managed by Symantec, and according to the company, gives users 500 MB of "secure" storage for free. The company has set up a hotline for users to call if they have any questions about the intrusion: 1-855-815-2719. The full e-mail can be found below:
quote:
Dear Customer,

We are writing to inform you of a recent security incident involving your Road Runner Safe Storage account, which may have exposed your password. Recently, an unauthorized third party accessed one of our databases. As soon as we learned of the attack, we limited all access to the database and thus the vulnerability was eliminated. However, as a result of this incident, your account credentials may have been exposed.

The database that was accessed contained information you would have entered when you first created your account, including your name, e-mail address, user ID and password, your hint question/answer, and if you ever purchased more storage, possibly your billing address. Please be assured that no credit card numbers were accessed as a result of the attack and that none of the content that you previously stored with us could have been accessed.

As a result of this incident, we have changed your password to protect against any unauthorized access to your Safe Storage account. Should you still be using your Safe Storage account, upon your next login, you will need to use the forgot password? link to retrieve and reset your password.

We take privacy and data security very seriously and value the trust our customers place in us. If you use a similar password across multiple accounts, change your password on these accounts. As a general best practice, it's important to use complex passwords that are hard to guess and to change them regularly.

We apologize for any inconvenience this may have caused. For additional information, please visit www.swapdrive.com/alert. We have also set up a hotline to answer any questions you may have at 1-855-815-2719.

Thank you for your attention,

Symantec Corp. for Swapdrive.com/Road Runner Safe Storage

view:
topics flat nest 

Alex J

@ecatel.net

Good Thing...

Good thing that meager 500 MB offering is so pathetic in the age of new cloud storage options nobody was probably using it.
Expand your moderator at work

battleop

join:2005-09-28
00000

Re: Good Thing...

"storage for free."

Yea, what a pathetic offering. I can't believe they don't offer 5032984032984023948 Tb for free.
--
I do not, have not, and will not work for AT&T/Comcast/Verizon/Charter or similar sized company.

jjoshua
Premium
join:2001-06-01
Scotch Plains, NJ
kudos:3

When will they learn...

You must never store passwords.

jmn1207
Premium
join:2000-07-19
Ashburn, VA
kudos:1

Re: When will they learn...

I've been using LastPass for my password control to add an additional layer of security.

michieru
Premium
join:2009-07-25
Miami, FL
Reviews:
·Comcast Business..
·AT&T U-Verse

Re: When will they learn...

»threatpost.com/en_us/blogs/lastp···h-050511

I was interested in LastPass till I read this, and after that one article it was enough to convince me not to store any such data online period. It's a inconvenience but better than changing over 50 logins.

jmn1207
Premium
join:2000-07-19
Ashburn, VA
kudos:1

Re: When will they learn...

You should do some more research on LastPass and how it works. There is a single login that is encrypted and your account can be locked only to specific devices that you use. It manages over 50 logins, each completely different and even I couldn't tell you what any of them are off the top of my head.

Changes have been made since the suspected activity that may have resulted in a breach back in 2011.

All of your passwords are stored online at the site where you use it. Hopefully they are all encrypted. After Sony had their Playstation accounts hacked, I decided to use a service that would make it simple to generate very secure passwords that were all unique to each individual site I accessed, while making it an effortless process to log in.

battleop

join:2005-09-28
00000

Re: When will they learn...

Nothing is completely secure as long as humans are part of the design, implementation, and maintenance.
--
I do not, have not, and will not work for AT&T/Comcast/Verizon/Charter or similar sized company.

jmn1207
Premium
join:2000-07-19
Ashburn, VA
kudos:1

Re: When will they learn...

True, but I had a list of user names and passwords that I kept before, locally. When Sony was hacked and my account was potentially compromised, the email and password combination used at Sony was also being used at 8 other sites, including Paypal.

Rather than try and manage over 60 different very secure, unique passwords for each site I accessed, I decided to try a password locker, and LastPass made the cut after reviewing a few.

The biggest factor for me with LastPass is the convenience it offers. I'm not protecting Fort Knox here, and any compromise would be an annoyance, but it would not be a life changing disaster for me. I'll never tell anyone what they should use, I'll only say what works for me.

michieru
Premium
join:2009-07-25
Miami, FL
I am just going to stick to Keepass.

jmn1207
Premium
join:2000-07-19
Ashburn, VA
kudos:1

Re: When will they learn...

I tried that, but it didn't work for me nearly as well as LastPass. I love the online, cross-platform ease of use.

Even Steve Gibson gives LastPass his endorsement.

»blog.lastpass.com/2010/07/lastpa···ity.html

I'm sticking with what I feel is the far superior solution for me.

cork1958
Cork
Premium
join:2000-02-26
said by jjoshua:

You must never store passwords.

Stored passwords?

Never done such a thing. Not that much of a lame brain to count on some outside/third party thing to do that for me. I know how to all by myself.

Exactly why I'll never use cloud crap for anything remotely useful!
--
The Firefox alternative.
»www.mozilla.org/projects/seamonkey/

cdru
Go Colts
Premium,MVM
join:2003-05-14
Fort Wayne, IN
kudos:7

Re: When will they learn...

said by cork1958:

Stored passwords?

Never done such a thing. Not that much of a lame brain to count on some outside/third party thing to do that for me. I know how to all by myself.

Exactly why I'll never use cloud crap for anything remotely useful!

I think he was referring to the service storing the user's password for authentication. There is ZERO reason for a service to store a password in a format that can be recovered by any means other then pure brute force. And there is a less-than-ZERO reason for any type of a service that touts itself as "safe" or managed by a security software company.

Apparently no one there has heard of hashed passwords with a salt.

Kilroy
Premium,MVM
join:2002-11-21
Saint Paul, MN

1 recommendation

Nothing like giving up the keys to the kingdom

said by Letter :
The database that was accessed contained information you would have entered when you first created your account, including your name, e-mail address, user ID and password, your hint question/answer, and if you ever purchased more storage, possibly your billing address.
In short we were not practicing good security by storing your user name and password in clear text instead of salted and hashed. These days it doesn't matter how good your password is, if fools like this give it away.
--
Want the shirt? - »www.despair.com/thedestructor.html
Not afiliated or making any profit from sales
b10010011
Whats a Posting tag?

join:2004-09-07
Bellingham, WA
Reviews:
·Comcast Formerl..

1 recommendation

Another example why "The Cloud" is a bad idea.

Even worse a local accounting firm that fell hook line and sinker for cloud services was crippled for three days when Amazon's cloud went down.

They learned their lesson the hard way and have since abandoned all could based services.
--
Bellingham Scanner Kicks Ass! »bhamscanner.kicks-ass.org/

koitsu
Premium,MVM
join:2002-07-16
Mountain View, CA
kudos:23

Re: Another example why "The Cloud" is a bad idea.

said by b10010011:

Another example of why "The Cloud" is a bad idea.

This this this! In Slashdot terms: mod parent up.

Users should always have full ownership (thus full control) of their data, not some random online entity. This is why I advocate people do their own backups to media they themselves own and have physical control over.

That said, I should note I do not have a problem with services like rsync.net because the overall demographic is different and they're less of a "black box" than these weird online "cloud" or "cloud-esque" providers -- but I still would not use them for data which I consider extremely important or mission-critical.
--
Making life hard for others since 1977.
I speak for myself and not my employer/affiliates of my employer.

MxxCon

join:1999-11-19
Brooklyn, NY

Re: Another example why "The Cloud" is a bad idea.

said by b10010011:

Even worse a local accounting firm that fell hook line and sinker for cloud services was crippled for three days when Amazon's cloud went down.

They learned their lesson the hard way and have since abandoned all could based services.

"Amazon's cloud went down" is an ignorant and blatant lie.
Amazon Web Services has more than 30 different and separate services. I can guarantee on the life of your children and parents that the whole Amazon "cloud" DID NOT go down.

Amazon Web Services provides all the tools necessary to create a highly available, redundant and secure infrastructure that can continue to function if there's an outage in a specific datacenter, availability zone, geographic region or a continent.

If somebody is using AWS and they experienced an outage, it's their own damm fault for not following best-practices in creating a reliable and redundant setup.

If some idiot jumped from a plane with a single parachute, no backup and died, do you blame the whole skydiving industry for the actions of that idiot even though everybody told him to pack a backup?
--
[Sig removed by Administrator: signature can not exceed 20GB]

koitsu
Premium,MVM
join:2002-07-16
Mountain View, CA
kudos:23

Re: Another example why "The Cloud" is a bad idea.

MxxCon See Profile, I am in full agreement that the likelihood of a highly diversified cloud service (like AWS) going completely offline -- that is to say, EVERY geographic region going down -- is pretty unlikely.

However, there have been a few documented cases of entire AWS geographic regions going down:

* 2012/03/15 -- EC2 east region -- reference
* 2012/03/26 -- Amazon EC2 -- reference

I haven't seen anything on the outages mailing list (I'm subscribed) about AWS issues since then. I'd have to check NANOG as well to see if there were reports there too.
--
Making life hard for others since 1977.
I speak for myself and not my employer/affiliates of my employer.

MxxCon

join:1999-11-19
Brooklyn, NY

Re: Another example why "The Cloud" is a bad idea.

Yes, a region can go down, but again, AWS offers people all the tools necessary to create an infra that can survive a region failure. If they did not implement and such an outage was unacceptable to them, its their own fault.

And I doubt that "a local accounting firm" would be using a bare-bones EC2 anyway. It would be either S3 or some seller.
If it's a seller that had 3 day long outage, then again, don't blame Amazon or "cloud" for actions of one incompetent company!
--
[Sig removed by Administrator: signature can not exceed 20GB]

AnonFTW

@rr.com
Any engineer worth his salt who is hosting with AWS would set up redundancy in two, very geographically redundant, regions.

The fact several high profile sites didn't and went down along with a single AWS region just proves they should invest more money into infrastructure talent.

There is nothing wrong with "the cloud" as long as your provider is half-way competent.

Disclaimer: I am a SaaS cloud engineer. We don't host with AWS and we have geographic redundancy via BGP.

AnonMe

@comcastbusiness.net
If you were one of those Amazon customer's in the unfortunate geographic region who couldn't access any of your data, from your propective, "The Amazon Cloud was down."

MxxCon

join:1999-11-19
Brooklyn, NY

Re: Another example why "The Cloud" is a bad idea.

said by AnonMe :

If you were one of those Amazon customer's in the unfortunate geographic region who couldn't access any of your data, from your propective, "The Amazon Cloud was down."

Actually, I was one of those customers that got affected by east coast outage. We were not down because we had infra setup on the west coast and in Singapore. And "amazon cloud" was not down. Only a specific service was, EC2 and EBS.
--
[Sig removed by Administrator: signature can not exceed 20GB]
b10010011
Whats a Posting tag?

join:2004-09-07
Bellingham, WA
Reviews:
·Comcast Formerl..
said by MxxCon:

"Amazon's cloud went down" is an ignorant and blatant lie.

Whatever...

The cloud service they were purchasing from Amazon was unavailable for three days.

Call it what you will but from this businesses perspective Amazon's cloud was down.
--
Bellingham Scanner Kicks Ass! »bhamscanner.kicks-ass.org/
BosstonesOwn

join:2002-12-15
Wakefield, MA
Reviews:
·Verizon FiOS

Come on !

You all missed the obvious ! Safe Storage was not so safe !

Well at least with 500 megs we can say it really wasn't much for them to lose
--
"It's always funny until someone gets hurt......and then it's absolutely friggin' hysterical!"
etaadmin

join:2002-01-17
Dallas, TX
kudos:1

Re: Come on !

said by BosstonesOwn:

You all missed the obvious ! Safe Storage was not so safe !

Well at least with 500 megs we can say it really wasn't much for them to lose

The way I understand it the use of 'safe' within this context is to provide data resiliency not data security, who cares is some hacker got hold of your Grandmother's Christmas pictures.

But you are right this should have never happened and passwords should have been salted, hashed and placed in a different server.

MxxCon

join:1999-11-19
Brooklyn, NY
said by BosstonesOwn:

You all missed the obvious ! Safe Storage was not so safe !

Sure it is safe. Your data is still in that safe, banker just lost the keys to it.
--
[Sig removed by Administrator: signature can not exceed 20GB]

Dominokat
"Hi"
Premium
join:2002-08-06
Boothbay, ME
kudos:2

I didn't even know

... this existed on Time Warner.
Not that I'd use it anyway. I don't trust "cloud" based systems.
etaadmin

join:2002-01-17
Dallas, TX
kudos:1

Re: I didn't even know

said by Dominokat:

... this existed on Time Warner.
Not that I'd use it anyway. I don't trust "cloud" based systems.

Correct, who in their right mind use 'cloud' services to store security sensitive information it is just a magnet for hackers, criminals and state sponsored spying.

MxxCon

join:1999-11-19
Brooklyn, NY

Re: I didn't even know

said by etaadmin:

said by Dominokat:

... this existed on Time Warner.
Not that I'd use it anyway. I don't trust "cloud" based systems.

Correct, who in their right mind use 'cloud' services to store security sensitive information it is just a magnet for hackers, criminals and state sponsored spying.

Ignorant much?
I guess you don't know that many insurance and financial institutions store their documents using "cloud" services.

It is extremely ignorant of you to condemn the whole industry because some idiots do not know the basics of security.

Do you even what is this "cloud" means? Doesn't seem like it.
--
[Sig removed by Administrator: signature can not exceed 20GB]
etaadmin

join:2002-01-17
Dallas, TX
kudos:1

1 recommendation

Re: I didn't even know

said by MxxCon:

Ignorant much?
I guess you don't know that many insurance and financial institutions store their documents using "cloud" services.

Dumb me... of course "many insurance and financial institutions store their documents using "cloud" services" I feel so much safer now.

Thanks!... wait I'm talking to a Gorilla.
Rojo

join:2009-04-14
New York, NY
kudos:1

Re: I didn't even know

LOL! best laugh I've had all week

skeechan
Ai Otsukaholic
Premium
join:2012-01-26
AA169|170
kudos:2

1 edit
So what, just because financial institutions use cloud storage doesn't make it safe.

Fact is you never know which idiots are running which services. Smart today, idiot tomorrow.

••••••••••

Dominokat
"Hi"
Premium
join:2002-08-06
Boothbay, ME
kudos:2
Reviews:
·Time Warner Cable

1 recommendation

said by MxxCon:

Ignorant much?
I guess you don't know that many insurance and financial institutions store their documents using "cloud" services.

Yes, I know what the cloud is. And I also know how much insurance and financial institutions get hacked since they moved to it. Thank you. I feel so secure using the cloud now.

RedCaliSS
Premium
join:2004-08-21
Murrieta, CA
Reviews:
·Verizon FiOS

Old Old School

ahh hell I'm old, and believe in old school practices.. I even have Tape Drives to backup my backups.. and LTO Ultrium 5 drives ain't cheap but in instances like this, I'm glad I popped for one in my personal 8 TB NAS I created. I do NOT trust the "cloud". never have never will. 50+ years of stuff now digitized, stored and backed up.

Long Live the Commodore 64!!!

OSUGoose

join:2007-12-27
Columbus, OH

Hold On!

You guys fell for that email? TWC/Insight said it was fake and to delete it.

rnjive

@qwest.net

icloud hacked

Ok who in their right mind would leave back up materials on line.