Hackers hit the NASDAQ community forum, email addresses and passwords compromised

NASDAQ forum hackThere is bad news if you are in the habit of discussing stocks on the NASDAQ community forum, because hackers have managed to break into the site, and could have compromised usernames, email addresses and passwords.

The only silver lining on the cloud is that trading and commerce platforms were not impatced by the hack.

Users of NASDAQ’s community messageboards should have received an email from the site, warning users about the security breach and advising members to change their passwords on *other* websites if the same password was being used.

Email from NASDAQ

My guess is that the servers running the NASDAQ community messageboard software had not been properly configured or not kept updated against vulnerabilities, and this allowed hackers an open window to access sensitive information.

Of course, it’s never a good idea to use the same password in multiple places. If you are reckless and use the same password on multiple websites then if *one* site suffers a serious security breach and hackers manage to get hold of passwords, then your accounts on *other* sites could be at risk too.

Worryingly, there is no mention of passwords being securely encrypted suggesting that the site could have been storing users’ passwords in an insecure fashion up until now.

What also irks me is how NASDAQ is describing the issue on the (currently shut-down) community forum itself:

Sign up to our free newsletter.
Security news, advice, and tips.

NASDAQ forum

We are currently upgrading the NASDAQ.COM Community site.

We apologize for the inconvenience.

Any member of the online NASDAQ community who has missed the email advisory, won’t be any the wiser from that message that the site has been hacked, and their usernames, email addresses and passwords have been compromised.

Shouldn’t the site be more upfront about the security breach, and offer – for instance – advice that if members were using the same passwords elsewhere on the net, that they should be changed as a matter of priority?

Wouldn’t it be helpful to warn about the threat of phishing emails?

The simple “we’re upgrading the site” message feels to me a little like an attempt to brush the issue under the carpet, in the hope that the very people who need to be warned there is an issue – the community’s members – don’t notice.

Although I’m obviously pleased that an email was sent out (hey! let’s hope none of them were to an expired Yahoo address, eh?)

Consider me unimpressed by NASDAQ’s handling of this.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

2 comments on “Hackers hit the NASDAQ community forum, email addresses and passwords compromised”

  1. cypherpunk

    Did they leak the hacked content on Pastebin or somewhere else ?

    1. Graham CluleyGraham Cluley · in reply to cypherpunk

      I haven't seen any evidence of that.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.