MusicBrainz data dump serves as a warning for password reuse: Trend Micro

Security vendor weighs in on the recent data dump and the importance of different passwords

MusicBrainz, the popular open content music database, disclosed at the end of March that a database dump had taken place and user information had been downloaded.

One of these dumps contained password hashes for a large portion of MusicBrainz accounts, and the site responded by deleting and replacing it with correctly sanitised database dumps.

While the site admits to having no idea where the data is now located, it is asking all users to change their passwords.

MusicBrainz has attempted to downplay the incident by saying that the password hashes are neither useful or widely distributed, and that the data should not allow attackers to retrieve user passwords.

Without seeing the stolen data in question, Trend Micro A/NZ strategic products senior manager, Adam Biviano, said it is difficult to ascertain whether user passwords are at risk, as it dependant on the hash algorithm that was used.

“We saw in the recent breach of one of the ABC’s websites that the hashing algorithm allowed an attacker to quite easily discover many of the passwords,” he said.

“Even with a strong hashing algorithm, simple passwords like common words are easy to discover by using a brute force dictionary attack against the hash contents.”

In response to the situation, MusicBrainz said it will adjust its database dumping scripts to be specific about which data to export in order to avoid future leaks of private data.

Biviano said the data dump incident is not limited just to MusicBrainz, adding that “these attacks are more common than [he] would like to see."

“The ABC fell victim to this problem just recently, and I’m never surprised when I hear of these incidents as it seems to be quite commonplace these days,” he said.

Password protection

As for whether there is anything a user can do to protect themselves from these types of incidents, Biviano said it is mainly up to the site’s administrator or owner to provide protection.

However, individuals are able to take certain steps to minimise the impact to themselves.

“If they reuse the same username and password combination for many different websites, then if their password is discovered for one then an attacker may be able to take over many online services that the individual may have access to,” he said.

“If they use a complex password that is not a common word or has a mixture of letters and numbers, then if a hashed version is released to the public, the odds of it being cracked are a lot less.”

If a user discovers through an email from a site administrator that their password may have been compromised, Biviano said they should think about where else they have used that password and change it too.

Patrick Budmar covers consumer and enterprise technology breaking news for IDG Communications. Follow Patrick on Twitter at @patrick_budmar.

Join the CSO newsletter!

Error: Please check your email address.

Tags databasestrend microhacking

More about ABC NetworksABC NetworksIDGIDG CommunicationsIDG CommunicationsIDG CommunicationsTrend Micro Australia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Patrick Budmar

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts