Sign in with
Sign up | Sign in

Holy Data Breach, Batman! Hackers Hit Comixology

By - Source: Tom's Guide US | B 11 comments
Tags :

Not even superheroes are safe from data breaches.

Popular online and mobile digital-comics store Comixology informed its subscribers today (March 6) that "an unauthorized individual" had accessed its database of customers' usernames, email addresses and passwords.

MORE: How to Protect Yourself From Data Breaches

However, the passwords were encrypted, Comixology said in its email to subscribers. Even if the passwords were stolen, they shouldn't be readable so long as the encryption was decent.

Comixology also said it didn't store users' payment information on its own servers, so the intruder wouldn't be able to access Comixology readers' credit-card numbers and other payment data. 

Registered Comixology users should have received emails this morning alerting them to the data breach. Any mobile devices on which the app is loaded should have received push notifications.

If you use Comixology, you should change your account password, either via the website or the mobile app. If you use the same username or password — particularly if you use the pair together — anywhere else, you should change those as well.

It's not clear when Comixology first detected the intruder. The email alert said that the unauthorized access was discovered "in the course of a recent review and upgrade of our security infrastructure." But overall, it looks as if Comixology has done everything right, as far as reporting data breaches goes.

Email jscharr@techmedianetwork.com or follow her @JillScharr and Google+.  Follow us @TomsGuide, on Facebook and on Google+.

Discuss
Display all 11 comments.
This thread is closed for comments
  • 4 Hide
    Christopher Shaffer , March 6, 2014 10:43 AM
    If I was going to hack Comixology, I wouldn't steal user info. I'd steal comics. Maybe set myself up with a life-time sub to everything from Vertigo and all the Wolverine titles.These hackers need to get their priorities straight.
  • 1 Hide
    bustapr , March 6, 2014 11:12 AM
    thats not how it works. these hackers usually work with DDoS attacks to breach security and during the attack they steal small packets of information such as passwords and names. all this is no more than a few minutes. stealing large files such as comics is a whole different thing that isnt possible in this method. and setting up a lifetime sub is a thing of movies.
  • 0 Hide
    rajangel , March 6, 2014 11:43 AM
    So long as the encryption was "decent." What a riot, that Comixology doesn't even know what encryption was used in their system. Way to inspire trust in your users, guys.
  • 2 Hide
    Gillerer , March 6, 2014 11:50 AM
    Quote:
    What a riot, that Comixology doesn't even know what encryption was used in their system.
    There are reasons why businesses don't just share their security protocols in public.
  • 0 Hide
    koga73 , March 6, 2014 12:28 PM
    They should have just said the encryption is decent. And hackers did not break in using DDoS. That is only used to bring down a site by flooding it with traffic. Most likely the hacker got in with stolen creds or sql injection. Once in they can export the db (though the passwords should be hashed (one way) not encrypted (two way)). And it may be possible for a hacker to give themselves a "lifetime subscription". All they would have to do is find in the db where subscriptions are handled and add or modify a row.
  • -2 Hide
    ddpruitt , March 6, 2014 12:52 PM
    Quote:
    Quote:
    What a riot, that Comixology doesn't even know what encryption was used in their system.
    There are reasons why businesses don't just share their security protocols in public.
    Yea because they know they're crap. Security by obscurity has never worked. Between a website that let's everyone know that use a strong encryption algorithm versus a website that hides the fact that they use MD5, the website that uses MD5 always loses.
  • 1 Hide
    f-14 , March 6, 2014 7:24 PM
    Comic Book Guy Jeffrey Albertson did it. would be a great thing to plug in a later simpson's episode.
  • 0 Hide
    jimmysmitty , March 6, 2014 10:34 PM
    So long as they used something strong like AES 256 they wont get it. Most smart companies use at least that.
  • 2 Hide
    Heironious , March 7, 2014 12:45 AM
    Oh...my...gawd. All 12 users have had their passwords stolen!!
  • 0 Hide
    c123456 , March 7, 2014 4:08 AM
    @ddpruitt: You really think they used MD5? It's been well known not to use it, SHA-1, etc for quite a while now on online passwords. Using either bcrypt or AES, and they're golden. bcrypt has some very good implementations in basically every server side language for this purpose even.
  • 0 Hide
    Christopher Shaffer , March 7, 2014 7:49 AM
    @bustapr Wow, if ever there was a complete lack of understanding of sarcasm, there it is.My post is what is sometimes referred to as a joke, using a form of blatant sarcasm to suggest an improbable idea.That said, I'm an EE and I work in software development, so I'm very clear on the methods and what hackers employ and have access to, but thanks.
Tom’s guide in the world
  • Germany
  • France
  • Italy
  • Ireland
  • UK
Follow Tom’s guide
Subscribe to our newsletter