Google Gets In Front of Billabong Data Breach

Last week was a bad week for password breaches.  The most obvious incident was the news about the Yahoo! breach of approximately 450,000 user logins and email addresses of the Yahoo! Voices service.  The worst part of this breach, and in my mind what makes it even more egregious than the LinkedIn breach that I wrote about last month is that in the Yahoo! case, the passwords that were compromised weren't encrypted at all.  They were stored in plain text!  Once compromised, the attackers didn't have to do any work to crack their stolen list to make it usable.  The data was merely handed to them on a platter.

With all of the news surrounding the Yahoo! incident, you may not have known that less than 24 hours after that news broke hackers also dumped a cache of logins and passwords alleging to result from a hack of billabong.com.   Once again these passwords were being stored in plain text, resulting in zero work required by the hackers to crack the passwords once they were stolen.

The purpose of this post, however isn't to point blame or ponder why we appear to have learned nothing about proper password management.  It's actually to give kudos to Google for their response to the situation.

What Google did was a matchup between the email addresses that were made available to their own Google Apps database and sent an email message out to domain admins for those domains believed to have been affected by the breach.  An excerpt of their email follows:

IMPORTANT: SECURITY ALERT FOR YOUR GOOGLE APPS ACCOUNT

Google has become aware of a security incident involving Billabong that may have affected the security of some users in your Google Apps domain: REDACTED.

The following users were found on a list of compromised Billabong credentials released by those claiming responsibility for the Billabong security breach.

These users signed up for their Billabong account using their Google Apps email address and there is a high risk that they used the same password for both their Billabong account and Google Apps account:

<user list here>

Although part of the reason that Google sent this message out to Google Apps domain admins was to protect their own interests since the compromised Billabong accounts may use the same password as their Google Apps account, I applaud Google's response here in wanting to get in front of the issue and alert their users of the potential for these accounts to be taken over by the bad guys.  This wasn't their issue to respond to, yet they took the initiative with the goal of protecting their users.  As an industry, I'd love to see more of this.  Kudos!