The only silver lining on the cloud is that trading and commerce platforms were not impatced by the hack.
Users of NASDAQ’s community messageboards should have received an email from the site, warning users about the security breach and advising members to change their passwords on *other* websites if the same password was being used.
My guess is that the servers running the NASDAQ community messageboard software had not been properly configured or not kept updated against vulnerabilities, and this allowed hackers an open window to access sensitive information.
Of course, it’s never a good idea to use the same password in multiple places. If you are reckless and use the same password on multiple websites then if *one* site suffers a serious security breach and hackers manage to get hold of passwords, then your accounts on *other* sites could be at risk too.
Worryingly, there is no mention of passwords being securely encrypted suggesting that the site could have been storing users’ passwords in an insecure fashion up until now.
What also irks me is how NASDAQ is describing the issue on the (currently shut-down) community forum itself:
We are currently upgrading the NASDAQ.COM Community site.
We apologize for the inconvenience.
Any member of the online NASDAQ community who has missed the email advisory, won’t be any the wiser from that message that the site has been hacked, and their usernames, email addresses and passwords have been compromised.
Shouldn’t the site be more upfront about the security breach, and offer – for instance – advice that if members were using the same passwords elsewhere on the net, that they should be changed as a matter of priority?
Wouldn’t it be helpful to warn about the threat of phishing emails?
The simple “we’re upgrading the site” message feels to me a little like an attempt to brush the issue under the carpet, in the hope that the very people who need to be warned there is an issue – the community’s members – don’t notice.
Although I’m obviously pleased that an email was sent out (hey! let’s hope none of them were to an expired Yahoo address, eh?)
Consider me unimpressed by NASDAQ’s handling of this.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.