Password reuse is not a fictional issue; it’s a clear and present danger. Just ask popular blogging service WordPress.com. Last week, information on 5 million Google accounts was publicly posted on a Russian Bitcoin forum site. On Sept. 10, Google responded to the issue by publicly denying that its site had been breached and claiming that fewer than 2 percent of the accounts in the Russian breach list were actually valid.
As it turns out, although Google itself didn’t see much impact, the exposure from the 5 million accounts is broader than just Google.
Late evening on Sept. 12, WordPress revealed that it was taking proactive measures to secure its WordPress.com users against the Google account disclosure. WordPress has an open-source content management system (CMS) as well an online service at WordPress.com, where users can create their own blogs. WordPress.com accounts can also be used by self-hosted open-source WordPress users to get a number of services from WordPress.com.
“This list was not generated as a result of an exploit of WordPress.com, but since a number of emails on the list matched email addresses associated with WordPress.com accounts, we took steps to protect our users,” WordPress staffer Daryl Houston wrote in a blog post. “We downloaded the list, compared it to our user database, and proactively reset over 100,000 accounts for which the password given in the list matched the WordPress.com password.”
So to recap, information on 5 million Google accounts was publicly posted, and the information did not come from a breach of either Google or WordPress.com. Google has stated that approximately 2 percent of its users were impacted, which works out to be approximately 100,000 users—not coincidentally, the same number of accounts that WordPress has reset.
WordPress.com, like Google, is also being proactive with its users about the potential risk. While the only immediately vulnerable users from the Google accounts disclosure are those with a valid username and password, there is still a potential risk for the other accounts as well.
Houston noted that in addition to the 100,000 WordPress.com accounts that were reset, an additional 600,000 WordPress accounts are also potentially at risk, since the account emails are on the leaked Google account list.
“Since these users were not immediately vulnerable, we did not reset their passwords or send emails but we will be enabling a notification in their dashboards so that they can assess the security of their passwords at their leisure and with all of this information in hand,” Houston wrote.
Clearly, users reuse accounts and passwords across sites. It’s a risk that security experts often have warned of after many breaches, and it’s not a theoretical risk. Simply put, password reuse increases the risk for users whenever a breach occurs. The unfortunate reality of the modern world is that breaches are a common occurrence, so the prudent course of action is to have unique passwords for different sites to minimize the risk.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.