We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,258 News Articles

myBART hack by Anonymous could have been worse

The website for several years issued randomly generated passwords, which were unlikely to be resued

The disclosure of 2,000 usernames and passwords by the hacking collective Anonymous against a San Francisco transportation website could have been more damaging, according to a doctoral candidate at the University of Cambridge.

Joseph Bonneau, who is working on a thesis on password security, analyzed the disclosed passwords and found that more than 1,300 were randomly generated when users signed up for accounts at myBART, a marketing site for Bay Area Rapid Transit (BART).

Between 2001 until 2006, myBART did not allow users to change passwords, which consisted of two digits plus up to eight lower-case characters, Bonneau said in an interview. That was good, since users were unlikely to reuse the randomly generated passwords on other accounts, such as e-mail or social networking services.

It's not uncommon for people to use the same password across a range of websites. Security experts generally advise against it, since if the password is compromised, a variety of data could be obtained by hackers by trying out the password on other sites.

In the case of myBART, which was a marketing site, the accounts that were compromised aren't valuable.

"There's no interest for criminals or even people who want to do vandalism in the myBART account, but if you can try those passwords and e-mail addresses elsewhere, you can get interesting accounts," Bonneau said.

It's rare for websites to mandate randomly generated passwords. Bonneau and a colleague, Sören Preibusch, conducted a survey in 2010 of password practices across some 150 popular websites. Only one issued a randomly generated passwords.

MyBART e-mailed the passwords to users, which may be fine for accounts that aren't that important or infrequently accessed since users can look the password up if they forget, Bonneau said. But the website stored the passwords unhashed in its database -- considered to be an unsound security practice -- which eventually led to exposure by Anonymous.

Anonymous attacked myBART after the transportation agency on Aug. 11 shut off mobile-phone service to hundreds of thousands of commuters to thwart a planned protest over two fatal shootings by its police force.

Just a few days later, Anonymous struck BART again, publicly posting names, home addresses, e-mail addresses and passwords of 102 BART police officers.

Send news tips and comments to [email protected]


IDG UK Sites

Best Black Friday 2014 tech deals UK: Get bargains on phones, tablets, laptops and more this Black...

IDG UK Sites

Tomorrow's World today (or next year)

IDG UK Sites

25 iOS apps turn (Red) for World AIDS Day campaign

IDG UK Sites

Advanced tips for Mac OS X Yosemite: use Yosemite like an expert - 5 new tips added