Ars Technica was hacked. Readers advised to change passwords

Ars TechnicaTechnology news website Ars Technica has admitted that it suffered a hack attack on Tuesday.

The hack was apparently prefaced by a defacement of Ars Technica's front page, before the hacker returned a day or so later and managed to access a user database.

As a result, registered users of Ars Technica may now have had their email addresses exposed as well as hashed and salted passwords.

Tonight users who had registered on the site began to receive email notifications from the site, advising them that it would be sensible in an "excess of caution" to ensure that they are not using the same password on any other websites.

Ars Technica email

You are receiving this email because you may have - at some point - registered as a user on ArsTechnica.com. Our site was recently hacked.

Log files suggest that this intruder had the opportunity to copy the user database. This database contains no payment information on Ars subscribers, but it does contain user e-mail addresses cryptographically-protected passwords.

Out of an excess of caution, we strongly encourage all Ars readers — especially any who have reused their Ars passwords on other, more sensitive sites — to change their passwords today.

Good for Ars Technica for coming clean, and advising registered users to change their passwords as a precaution... but it's a shame they are hiding the news so far down their webpage...

Ars Technica hack

It's also a shame that they didn't warn their users that their stolen email addresses could now be used in targeted phishing attacks, perhaps with cybercriminals disguising their messages as coming from Ars Technica.

Be careful out there, or you might find yourself the next to fall arse over tit.

Tags: , ,

Smashing Security audio podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

Subscribe to the free GCHQ newsletter

, ,

7 Responses

  1. jmgosney

    December 18, 2014 at 1:05 am #

    To be fair, the notification was pinned at the top of their page all day yesterday and most of today. It was unpinned when it was replaced with the Sony/The Interview update. I assume they thought it was safe to unpin it after the notification emails went out.

    • Graham Cluley in reply to jmgosney.

      December 18, 2014 at 1:17 am #

      Oh was it? I missed that.

      I would prefer if hacked sites erred on the side of caution, and made a notice like that prominent for an extended period of time. After all, folks change email addresses, or go on vacation only to zap all the email they received in the meantime, etc etc…

      I'm pleased they sent out notifications, but personally I think they would be serving their registered users better by continuing to make the warning prominent. I felt like I was scrolling forever to find it… It's not as though it has to take a *lot* of room.

    • Coyote in reply to jmgosney.

      December 18, 2014 at 1:28 am #

      Graham has the right idea. One day (or a day and a half or…) is hardly sufficient for a security breach. It is sufficient only if they are trying to hide it. But since they already made it public, that seems a bit late. I might add that assuming will – sorry I cannot help it – not only make an arse of you and me (okay, well, s/arse/ass … ) but also is a dangerous thing when it comes to something like this (perhaps however it is not you who assumed but rather it is Ars… that did).

  2. Coyote

    December 18, 2014 at 1:22 am #

    "Be careful out there, or you might find yourself the next to fall arse over tit."

    That… was… awesome. That is a large understatement (and yes, of course it is intended).

  3. Christopher

    December 18, 2014 at 6:04 am #

    Personally, I am cheering this hack. Have nothing to do with it but after being perma-banned for 'trolling', i.e. posting a non-majority PoV on 'global warming' (i.e. that it is nonexistent and posting articles that linked to legitimate scientific studies on the subject), I have to give the big old clap clap clap here.

    ArsTechnica and numerous other tech sites have morphed into places where if you post a non-majority PoV on some subject that some mod disagrees with? They go ban happy!

  4. RoadRoller

    December 18, 2014 at 6:03 pm #

    Pardon me while I don't shed a tear of sympathy towards Ars Technica. When you're dealing with a site whose moderators and members are of the utmost conceited and narcissitic in their views towards the tech industry and those who are struggling to make ends meet within it, you can't help but applaud the maneuver here. This hack was well-deserved and exposes the narcs of the site for the hypocrites that they are.

    If Ars Technica wants respect and sympathy, they're going to have to provide it right back. It's a two-way street in this industry.

  5. RoadRoller

    December 30, 2014 at 6:48 am #

    Alright, for the person who voted me down, listen up. I joined the Ars Technica forum upon suggestion from a friend and was a member for several months. I relied upon their expertise to help me get through a pair of textbook assignments. I was studying the C programming language at the time. The first problem involved the use of recursion to help print out rows and columns in a database while the second problem involved the use of structures to help calculate the electrical output of a battery. The only thing I asked on that forum was whether both my program outputs met the specifications of the textbook questions.

    Instead of being given a straight answer, I was blasted for using "bad form" code and was grilled further on the lack of proper coding techniques, such which were not taught in the textbook but I, as a learner, was expected to know regardless. This criticism was and still is unwarranted as I am not a technical expert, I am a learner to a new language. The coding techniques in the textbook were taught by Jeri R. Hanly of The University of Wyoming and Elliot B. Koffman of Temple University. They are both well-respected coding engineers who had taught real industry coding and their methods are held in proper regard by computer scientists across the country. Ars Technica apparently refuses to show proper recognition for these techniques because it does not comply with their community standards of technical professionalism and will proceed to lambast anyone who does or uses other techniques that is not of their own standards.

    Furthermore, the forum members have a tendency to provide their criticisms on an after-the-fact basis without notifying their suggestions beforehand to the user. The result is constant modification of code that is subject to endless harsh criticism without any reassurance or respect to the user effort in regards to technical education development. The only result that one can expect from these methods of "guidance" is a sense of hopelessness that can drive one to leave their subject of expertise behind.

    Ars Technica needs to understand that aside from technical expertise, respect must be provided to those who are working their way up in the industry. These are the people who could be the future of the industry. To disregard that in favor of conceit as a result of alternate coding principles not only creates pariahs out of a new generation of potential experts but further cements the community as a gang of intellectual bullies.

    This is why I won't sympathize with Ars Technica being hacked. Sometimes, the bullies need to be taught a lesson.

Leave a Reply