StumbleUpon account hacked - security lax

Submitted by admin on July 17, 2008 - 9:56am
  • Dirty Rotten Scoundrels
StumbleUpon account hacked - security lax

It's a great service, but what happens when your account gets hijacked?

Recently I hooked up my StumbleUpon account to the new FriendFeed service which aggregates all your social networking activity. Just for fun I subscribed to my own FriendFeed to see what types of things came in. What a surprise this morning when I began reading my feeds by Google reader and found all kinds of spam porn links coming from my StumbleUpon account.

I figured it had to be a mistake so I went to my favorites page and sure enough, there are about a dozen pages that I've never heard of with my own personal thumbs up. I checked the password and for some odd reason it was the original 6 character password that SU sent me in the beginning. I must not have changed it because I couldn't figure it out at the time. It's not terribly intuitive to do so. You have to use the tool bar to change it. The choice is not on your web based profile page.

So I finally changed it today only to have the new password sent to me in plain text by email. Stumble Upon, you get a big fat "F" on security today. You wouldn't think that spam would find something like StumbleUpon, but that has all changed.

Some spammer must have found my password either by using hash tables or by finding one of the plain text emails. All it took from that point was to write a script to approve pages on my account without my knowledge. The moral of the story is that your social bookmarking sites need good strong passwords just like any other accounts. Use a mixture of 14 characters and numbers. Delete any emails that come from StumbeUpon with your password. Keep you password in a safe place like a password keychain on your computer , or perhaps a notebook inside a safe.

UPDATE - WELCOME STUMBLEUPON TRAFFIC

Well, it seems that this post got a bit popular on StumbleUpon.com. I enjoy reading all the reviews. I do want to clarify a thing or two. Some people are suggesting that I am blaming StumbleUpon for the hack. There are three points I made:

  • The first point is that, yes I was a complete dumb-ass to have not changed my password and made it stronger. This is 100% my fault.
  • The second point was that StumbleUpon should not be sending passwords through email. No company should do that. When I talk about lax security, that's what I mean.
  • The final point was that social networking needs strong passwords just like your bank account. It's your identity at risk. Many people don't think of it like that.

Thank You for everybody who has visited.