Digital comic book seller ComiXology, whose iPad application is consistently one of the top grossing options on Apple's App Store, informed users on Thursday that it was victim to a security breach, and users must reset their passwords.
In an email to users, ComiXology revealed that an "unauthorized individual" accessed a database containing usernames, email addresses, and cryptographically protected passwords. Payment information associated with accounts is not stored on the company's servers, and thus was not included with the data obtained in the breach.
Though the passwords stolen were encrypted, ComiXology is nevertheless requiring users to change their passwords as a precautionary measure. The company has also recommended that users change their password on any other website where they may use the same or a similar password.
ComiXology apologized to users, and said that it has taken on measures to strengthen its security going forward.
Purchases through ComiXology's iOS applications are controlled by Apple through an iTunes account, but the company's cloud-based platform allows digital titles to be synced with other applications and viewed on other devices through a separate ComiXology account.
Offering digital comics from both Marvel and DC, the two biggest comic publishing firms, ComiXology is the largest cloud-based comic seller. For years it has been the top-grossing non-game application available on the iPad.
In addition, ComiXology also powers digital comic sales for official Marvel and DC applications on iOS, both of which also frequently appear among the top grossing options on the iPad App Store. As of Thursday morning, ComiXology ranks No. 10, the Marvel Comics app is No. 38, and the DC Comics app is No. 41.
7 Comments
ComiXology requires users to reset passwords after security breach [I]then calls Batman!!![/I]
[...]
Though the passwords stolen were encrypted, ComiXology is nevertheless requiring users to change their passwords as a precautionary measure. The company has also recommended that users change their password on any other website where they may use the same or a similar password.
ComiXology apologized to users, and said that it has taken on measures to strengthen its security going forward.
[...]
sigh. I wish they would come clean with the level of risk (was it a common salt?, no device pinning?, etc. etc.). I read this as, 'we shortcutted and encrypt/hashed your passwords in a simple manner, instead of oneway hashing them in a computationally intense manner.' Sad.
[soapbox]
Reading through the level of security Apple builds into iOS, it appears to be quite easy to add device pinning (only allow logins from prior successfully logged in iOS devices), and state that up front in the breach mitigation risk statement ('you would be notified if a new device tries to login with your credentials, and you can notify us who will notify authorities if an unauthorized attempt to use your password is detected").
Eventually this should be the norm... and all companies that push authN without some level of specificity... (you cannot access your app from a new device without being present of one current device [to receive a notification, or email, or text, or iMessage] to grant the new device access).
Adding this 2nd factor is cheap and easy, and can reduce net exposure of the password.
[/soapbox]
They sent the email to everyone who has downloaded the iOS app even if they have never set up an account.
I have a friend that works for Comixology. Apparently they don't pay their employees well enough- The Wallmart of Apps-
Just got a hack notice from another web service I use, Statista. [I]"Dear Statista-users, Despite extensive safety precautions people unknown to us have illegally gained temporary access to our customer database. Bringing this to your attention is crucial to us. We can yet assure you that this security breach has since been closed by our team. However, there is still the possibility that some of your personal data may have been taken: email address / login Statista password (masked) As a precautionary measure we will change your current password for your account. The new password will be sent to your email account after the next login: *************** A masked version of the previous password has been stored and we can technically not rule out decryption. Please note that in case you use the same password for Statista as you do for other services (especially your email address), we recommend changing your password for those services as well. We very much regret this incident and see it as our duty to inform you about it instantly. We sincerely apologize for any inconvenience caused."[/I] This is getting completely out-of-hand IMO.