LibraryThing sends out security breach notice to members today – 2 years after attack occured

So, I’m at home nursing the worst flu I’ve had in years and I get the email from Tim Spalding, Founder and President of LibraryThing, announcing that back in November 2011 (!) hackers had broken into their site and stolen member user data including email addresses and encrypted password hashes. So what this basically means is that the hackers could, in theory, have run the encrypted passwords against a brute force tool to try and decrypt them… but as Tim does mention in his blog article, the fact that they didn’t take user names (or other user data) it seems like they just wanted a list of hundreds of thousands of ‘live’ email addresses for spamming purposes.

I’ve been a member of LibraryThing for many years now – it’s a very cool sort of ‘social reading’ site where you ‘catalogue’ and share what books you have in your home library. In reality, it’s probably been eclipsed by sites like Amazon … I’m surprised, in fact, that no one acquired LibraryThing a long time ago.

From: [email protected] [mailto:[email protected]]
Sent: February 4, 2014 18:53
To: Robin Majumdar
Subject: Security Notice: LibraryThing Password Reset

During a security review, we found that LibraryThing suffered a data breach in November 2011. While no book data or financial information was taken, lost or changed, the hackers did take email addresses and encrypted password hashes for some accounts created prior to that date.

As a security precaution, we are requiring all members to change their passwords, here:

http://www.librarything.com/changepassword.php?token=7283939171w699e

Please read our longer description of the breach here:

http://blog.librarything.com/main/2014/02/password-reset/

The entire LibraryThing team and I deeply regret and apologize that this happened on our watch. Since 2011, we have significantly improved our security measures, which have been further tightened across the board since we discovered this breach. As a further apology, we are upgrading you and all LibraryThing members who joined prior to November 20th, 2011 to full lifetime accounts.

Sincerely,

Tim Spalding
LibraryThing Founder and President