Allrecipes, the self-described “food-focused social network”, has sent an email out to some of its users warning that their email addresses and passwords may have been intercepted by an unknown third-party.
In the email, the site warns that users who registered an allrecipes.com account or logged on as a registered member of the site prior to June 2013 (yes, that’s almost four years ago), may have had their email address and password stolen.
Part of the email reads as follows:
We recently determined that the email address and password typed into allrecipes.com by members when they created or logged into their accounts prior to June 2013 may have been intercepted by an unauthorized third party. Based on information available to us, we cannot determine with certainty who did this or how this occurred. Our best analysis is that email addresses and allrecipes.com passwords were intercepted during account registration or login by our members.
To its credit, the site has advised affected users to change their Allrecipes password, and ensure that they are not using the same password anywhere else on the net:
Out of an abundance of caution, we recommend that all members who registered or logged into allrecipes.com prior to June 2013 promptly change their password. We are taking other steps as well and will continue to work diligently to deter unauthorized activity.
You should promptly change your password on allrecipes.com and on any other sites for which you use the same username and password.
To its discredit, however, I could find no mention of the breach on the Allrecipes website and its official Twitter account continues to seem keener to tweet out links to “5 Girl Scout Cookie Copycats to Tide You Over Until Next Year” than spread word to its 60,000 followers that it has suffered a security breach.
From what I have seen, Allrecipes has only mentioned the breach when asked direct questions about it via Twitter. How hard would it have been to post a link to an advisory on the front page of its website, and tweet out a link to it?.
Clearly plenty of questions remain about how this security breach might have happened, and Allrecipes’ response to it. But at the very least I would have been pleased to see them be more transparent with their users.
The data breach has, understandably, left an unpleasant taste in the mouths of affected users – some of whom turned to Twitter to express themselves.
Just notified by @Allrecipes that my email & password were compromised. This recipe makes me sick. Now my email is public. ðŸ˜
— Laurel Ann Nattress (@Austenprose) April 19, 2017
That Twitter user is correct. It’s not just a problem that their password has been exposed. Passwords, after all, can be changed fairly easily and if you’re only using it one place than the risks are, at least, reduced.
Most users, however, only have one email address and aren’t keen to change them that often. A hacker who has stolen your email address and password may not only attempt to use those credentials to unlock other online accounts you own, but might also monetise their theft by launching spam or phishing attacks against your inbox.
If you want to hear more advice about password security, be sure to check out our “Smashing Security” podcast on the topic:
Smashing Security: 'Passwords'
Listen on Apple Podcasts | Spotify | Pocket Casts | Other... | RSS
More episodes...
I was one of those who received the email from Allrecipes regarding the breach. Further to your point, "How hard would it have been to post a link to an advisory on the front page of its website, and tweet out a link to it?", what's even worse is that in the email they sent it says to go to the website if you have further questions. I did that, and all my digging could find NOTHING mentioned anywhere about it! Not pleased…
Hi Graham,
There is an FAQ Notice of Data Breach at https://wecare.allrecipes.com/ but it's so well hidden that I only found it through a third party.
Cheers,
Neil
I admire your detective work in finding that Neil!
Sadly I suspect 99.99% of AllRecipes' users are likely to visit that URL, and will remain in the dark.
I see AllRecipes' Twitter feed seems happier to post about cupcakes than data breaches.
I never click on a link inside an email especially when they say to change my password. I go to the website and check for more information which I did not find in this case so I assumed it was a phishing scam until I found more info here.
I have been getting malware sent to an address used only at AllRecipes for more than two years. I notified them of this at that time and they did not take it seriously.
Like Skidaddl and Cheryl I went to the allrecipes.com site to look for information about the compromise and found none. Based on the info at the link Neil posted, our credentials were compromised nearly 4 years ago, and this was just discovered. The allrecipes.com site doesn't use TLS and will redirect from HTTPS to HTTP. I give them a failing grade in all areas: security, auditing, and transparency.
I've been using this site since about 2009 and they didn't even have the courtesy to email me. What's worse, I went to the site to change my password and before I could access my settings it prompted for a password reset without even confirming the old one! So after you've been breached, you allow just about anyone to change my password? Thanks for giving crap about personal information Allrecipes.