PSA: Cerberus breach prompts network-wide password reset
Do you use Cerberus, an Android app and service to help find and track your lost or stolen smartphone? You’ll want to head over to your account right now and change your password, as the company has revealed an unfortunate breach that may have given perpetrators access to your accounts.
An email sent to Cerberus subscribers tells us that username and encrypted passwords have been compromised. Thankfully no other account information was revealed the hackers, including email addresses and any personal information that may have been tied to the account.
And since the passwords were stored in an encrypted format, the hackers likely couldn’t do anything with the information they obtained — in fact, Cerberus believes only three accounts were broken into.
Regardless, Cerberus wants to make sure everyone has peace of mind by prompting users to reset their passwords. You won’t be able to login with your existing password to do this. Simply go to the site’s “Forgot Password” form here to get it going. Once you do that, Cerberus says it’s a good idea to log into your account and check your account logs to make sure no suspicious activity has taken place (such as someone requesting a location or trying to sound the phone’s alarm).
Here’s a more detailed breakdown of what occurred with this incident:
- The database was not accessed, and passwords are hashed and uniquely salted multiple times there. The hackers likely couldn’t access the accounts.
- – The hacker was able to access a legacy log file that contained usernames and SHA-1 hashes of passwords that were generated by the app logins between March 1 and March 21
- They then deleted the log file, stopped the legacy logging procedure, invalidated the passwords for the accounts present in the log and notified the users involved
- A total of 96564 accounts had their password reset and have been notified with the email communication above. These accounts have not been accessed in any way.
- A total of 3 accounts were accessed by the attackers, but Cerberus immediately blocked access to those accounts and reset their passwords. Those 3 users were notified before the others with a different email.
- As of March 26, none of the data obtained by the attacker is believed to be released publicly.
That’s the skinny of it, folks. These things happen, and it’s unfortunate when they do, but the most you can ask for is that the developers are responsible enough to provide proper communication and take necessary measures to ensure everyone is protected. That’s exactly what Cerberus did.
Of course, they’ll be looking into ways to improve their security even more down the line to make sure someone like this isn’t commonplace, and have already contacted security experts for a systems audit to see where and how they can improve.
[via Google+]