The Racing Post is advising users of its website to change their passwords for other sites if they use the same one in case hackers break the encryption.
The company has promised to adopt “stringent” new measures to prevent a repeat of the weekend security breach on its website racingpost.com.
The Racing Post said its website was hit by a “sophisticated, sustained and aggressive” attack that compromised a database containing customer details including usernames and encrypted passwords.
The company said the risk will vary according to how much information users gave when they registered, but that no credit or debit card details are at risk.
“Betting through the site with our partner bookmakers has at all times been unaffected as this activity takes place directly with the bookmaker,” the company said in a statement on its website.
The Racing Post said it has turned off the ability to register or login to racingpost.com, making the site safe to use.
Racing Post editor Bruce Millington the attack may be part of a wider attack on a number of companies.
Lloyd Brough, cyber incident response director at information assurance firm NCC Group, said the attack appears to be a common web application vulnerability that was exploited to compromise the database.
“While it is positive Racing Post has been quick to disclose the breach, providing further technical details on what type of ‘encryption’ was used for the passwords would have helped further inform technical users,” he said.
According to Brough, organisations often claim encryption, where in fact they are using hashing via algorithms such as MD5 without salts or iteration counts.
“If this is the case then it is little better than using unencrypted password due to the trivial nature of recovering them,” he said.
Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners.
If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Related content from ComputerWeekly.com