The website of the Racing Post, a daily newspaper obssessed with horse racing, greyhound racing and other sports betting, has been hacked by criminals who managed to access customer information.
A statement published on the website, shares some (but not much) detail of the security breach:
Our site was the subject of a sophisticated, sustained and aggressive attack on Friday and Saturday, in which one of our databases was accessed and customer details were stolen.
Customer credit and debit card details are not stored on the site and have therefore not been accessed and are not at risk.
The information at risk from the database that was compromised will vary in the case of each customer, depending on how much information you gave us when you registered.
It includes: usernames, first and last names, encrypted passwords, email and customer addresses and date of birth.
As a consequence, customers have been advised by email that they should take the precaution of changing their password on other sites if it is the same one that they use for racingpost.com.
As has become worryingly common with notifications of password database breaches, no details are shared by the Racing Post about the nature of the encryption used in the database or - most importantly - whether the passwords were salted and hashed to prevent easy decryption by hackers.
Worryingly, The Register reports that the site acknowledged that the passwords can be decrypted in an email sent to affected users:
“We have now established that a number of customer accounts were accessed. Although all the passwords are encrypted, we believe that there is still a chance that some passwords can be deciphered. As yours is one of the accounts involved, there is a risk of identity theft.”
The silver lining on the cloud, is that the hackers did not manage to access any payment information about gambling enthusiasts, as that is handled by another agency.
Nevertheless, users of the Racing Post website would be wise to check that they are not using the same password anywhere else on the web.
You should never use the same password on multiple websites, because if hackers manage to find out your password in one place, you could find your other online accounts have also been put at risk.
Of course, it’s not just passwords that have been exposed by this security breach. Users’ names, email addresses, and dates of birth (amongst other information) have also fallen into the hands of cybercriminals.
It is easy to imagine how malicious attackers could craft a targeted attack against readers of the Racing Post, using that information to create carefully crafted emails designed to infect their computers or phish other information from them.
Be on your guard.