@accalia said in Scrum.org hacked and they stored encrypted passwords along with the key! WTF?!:
@oldcoder salted passwords.......
but they were stored encrypted! with a decryption key!
salting is useless if you can decrypt the password!
Yeah sorry, a rushed post at work.
I meant that since the passwords were apparently salted they were probably hashed not encrypted, and that the email from scrum.org was just incorrectly worded.
I've just got a reply from them though...
The Scrum.org platform used a commercially available software package to manage user’s passwords and access to a user’s information. During our investigation into this security incident, we have been made aware of the security capabilities of this software package, which included the use of encryption keys and salted passwords instead of hash functions to store the password. We have implemented greater security protections as a result of the applied patches and are working to include the use of one-way hash functions to store the password. However, the changes to implement one-way hashing requires changes to our interface, and we are diligently working to roll out our use of the new capability as soon as possible. Following the incident, we invalidated all passwords to protect them, hence requiring a new password be created on your next login.
We do not know if any of this was taken, but are treating it as it was to ensure your account remains protected.
We apologize for any inconvenience this may have caused you and please let us know if you have any further questions.
Obviously I have asked what the product was but I'm guessing they won't say. I agree with others here that it might have been a home grown solution, possibly coded by someone's kid. This doesn't sound likely if it was an off-the-shelf solution: "We have implemented greater security protections as a result of the applied patches and are working to include the use of one-way hash functions to store the password."
I can't think why they would want to protect a commercial vendor. I guess it's possible they are protecting themselves by not revealing their tech stack.