R00tbeer Hackers Hit Philips

Following their AMD blog hack on Sunday, the r00tbeer hacker group has hit a new target – Dutch electronics manufacturer Philips.

The group has stolen and posted online several Philips.com databases containing almost 200,000 email addresses, accompanied by a mix of customer records including names, postal addresses, birthdays, phone numbers and passwords – some of them stored in plain text.

At the time of publication, Philips had not responded to a request for comment.

Out of salt

R00tbeer seems to be a new player on the scene. The group opened a Twitter account on 18 August and had assembled 396 followers at the time of this story being published. Their first target was the user database of thebotnet.com forums, a community with over 96,000 members. After posting the database online on Sunday, r00tbeer promised their next target would be “a large company.”

The victim they chose was AMD, and its news website blogs.amd.com. The hackers stole and dumped the database containing the details of 190 internal accounts, including information on usernames, email addresses, hashed passwords and, in some cases, full names of AMD staff. No customer details appeared to be compromised. Two days after the hack, AMD blogs still remain offline.

On Monday evening, the group announced they hacked another website, belonging to Philips. In the attack, r00tbeer stole seven SQL tables containing customer details and a separate file with over 197,000 email addresses.

According to InfoSecurity magazine, more than 350 email addresses and passwords of Italian customers who had purchased Philips flat-screen TVs a few years ago were posted in plain text.

In one of the databases, the passwords were hashed, but not “salted”, making the protection a lot less secure. Using a single CPU on a three-year-old laptop, Sophos security blogger Paul Ducklin recovered 139 out of 375 unique password hashes contained in that particular database, in just two minutes.

According to Ducklin, Philips has to take blame for two mistakes. First, the passwords shouldn’t have been accessible in the first place. But even if the passwords are leaked, there are ways to make them less useful to cybercrooks. That’s where Philips made its second mistake: the passwords shouldn’t have been stored unsalted, or even worse, in plain text.

“By leaking passwords, you may give away personal information beyond the scope of the user and the data you’re protecting,” writes Ducklin. The researcher has also criticised the choices of user passwords, with plenty of old favourites in the list, such as “1234”, “password” and “qwerty”. The very obvious “philips” made five appearances in the leaked databases.

Not one to rest on its laurels, several hours after attacking Philips, r00tbeer hit the UK student community thestudentroom.co.uk.

The resulting database dump was 82 MB large, but the exact contents of it are not known, since the file was promptly deleted by the hosting company Mediafire.

Despite its frenzied activity, r00tbeer hasn’t managed to cause too much harm. If the group continues to hit websites at this rate, it might actually serve as a wake-up call to companies like Tesco, which continue to ignore best security practices.

UPDATE: Philips has posted the following statement on its website: “We immediately investigated and, at this time, all indications are that the information posted today is identical to the information accessed earlier this year when data was stolen from Philips websites. We continue our investigation into the events of today and will update as appropriate.

“As previously communicated, the event of earlier this year related to some of Philips’ internet micro-sites, which are small websites used for campaigns and marketing promotions. On February 13, Philips immediately disabled the affected sites and it initiated an investigation eventually including third-party data security experts, Philips experts and law enforcement. After an extensive investigation, Philips concluded its probe into the security issue in April and has taken steps to improve security to protect our valued customers’ data against future criminal activity.”

How well do you know Anonymous? Take our quiz!