OFFICIAL SECURITY BLOG
March 6, 2014 | BY Christopher Boyd
You may find the following email is dropping into your mailbox right this very second from ComiXology:
Dear Comics Reader,
In the course of a recent review and upgrade of our security infrastructure, we determined that an unauthorized individual accessed a database of ours that contained usernames, email addresses, and cryptographically protected passwords.
Payment account information is not stored on our servers.
Even though we store our passwords in protected form, as a precautionary measure we are requiring all users to change their passwords on the comiXology platform and recommend that you promptly change your password on any other website where you use the same or a similar password. You can reset your comiXology.com password here.
We have taken additional steps to strengthen our security procedures and systems, and we will continue to implement improvements on an ongoing basis.
Please note that we will never ask you for personal or account information in an e-mail, so exercise caution if you receive emails that ask for personal information or direct you to a site where you are asked to provide personal information.
We apologize for the inconvenience. If you have any questions, please contact us by sending an email to supportATcomixology.com
Clicking the link will take users to a password reset page, where entering your email into the box will fire out a reset missive. However, those affected report the page to be timing out at present – it’s probably under heavy load as we all scramble to update our details.
As for the email itself, things to note:
1) No payment information taken, so that’s good.
2) The passwords were stored “in protected form”. That’s great, but there’s no additional information as to what kind of protection was in place besides “it’s cryptographic”. That’s certainly better than “nothing at all” though (and for a look at how things can go wrong even with protection in place, you should read the article on the 2013 ABC breach by Troy Hunt).
3) A clickable link. I’m not a huge fan of clickable links in emails, especially when dealing with data theft emails. It’s a great way to train end-users to click similar links in fake mails from those looking to take advantage of whatever confusion has been generated.
4) They advise Comixology users that they will never send out mails asking for personal information or direct you to sites asking you to provide personal information. That’s great, but isn’t sending an email with a clickable link in it doing just that?
If you do manage to get your hands on the password reset email, you’ll see the following:
Dear Comic Enthusiast,
You are receiving this email because you have requested to update your password.
To create a new password, please click the link below and log into your comiXology account:
This link may only be used once and must be used within 24 hours. This personalized link will no longer be usable if you requested or received another password reset email.
From there, all you have to do is select a new password.
This is a good time to go check your passwords and ensure you’re not using the same ones across multiple sites – and consider making use of a password manager. As the post over at Bleeding Cool illustrates, that’s a lot of people receiving those emails and it may take a little while for everything to start working smoothly again.