Hackers hit the NASDAQ community forum, email addresses and passwords compromised


NASDAQ forum hackThere is bad news if you are in the habit of discussing stocks on the NASDAQ community forum, because hackers have managed to break into the site, and could have compromised usernames, email addresses and passwords.

The only silver lining on the cloud is that trading and commerce platforms were not impatced by the hack.

Users of NASDAQ’s community messageboards should have received an email from the site, warning users about the security breach and advising members to change their passwords on *other* websites if the same password was being used.

Email from NASDAQ

My guess is that the servers running the NASDAQ community messageboard software had not been properly configured or not kept updated against vulnerabilities, and this allowed hackers an open window to access sensitive information.

Of course, it’s never a good idea to use the same password in multiple places. If you are reckless and use the same password on multiple websites then if *one* site suffers a serious security breach and hackers manage to get hold of passwords, then your accounts on *other* sites could be at risk too.

Worryingly, there is no mention of passwords being securely encrypted suggesting that the site could have been storing users’ passwords in an insecure fashion up until now.

What also irks me is how NASDAQ is describing the issue on the (currently shut-down) community forum itself:

NASDAQ forum

We are currently upgrading the NASDAQ.COM Community site.

We apologize for the inconvenience.

Any member of the online NASDAQ community who has missed the email advisory, won’t be any the wiser from that message that the site has been hacked, and their usernames, email addresses and passwords have been compromised.

Shouldn’t the site be more upfront about the security breach, and offer - for instance - advice that if members were using the same passwords elsewhere on the net, that they should be changed as a matter of priority?

Wouldn’t it be helpful to warn about the threat of phishing emails?

The simple “we’re upgrading the site” message feels to me a little like an attempt to brush the issue under the carpet, in the hope that the very people who need to be warned there is an issue - the community’s members - don’t notice.

Although I’m obviously pleased that an email was sent out (hey! let’s hope none of them were to an expired Yahoo address, eh?)

Consider me unimpressed by NASDAQ’s handling of this.

Tags: , , ,

Share this article:

   Join thousands of others and sign up to our free "GCHQ" newsletter.

Smashing Security podcast
Check out "Smashing Security", the award-winning weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"It's brilliant!" • "Three people having fun in an industry often focused on bad news" • Winner of the Best Security Podcast 2018

Latest episodes:
Listen on Apple Podcasts Listen on Google Podcasts

, , ,

2 Responses

  1. cypherpunk

    July 18, 2013 at 8:59 am #

    Did they leak the hacked content on Pastebin or somewhere else ?

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.