James Thew - Fotolia

What caused the ClixSense privacy breach that exposed user data?

A privacy breach at ClixSense led to user account details being put up for sale. Expert Michael Cobb explains how companies should be held accountable for their security practices.

User data from 6.6 million ClixSense accounts was exposed, including login credentials, home addresses, IP addresses and payment histories. The website had stored the passwords as unhashed plaintext. Why did ClixSense choose to store plaintext passwords? Should storing plaintext passwords be essentially prohibited as an industry practice?

ClixSense is a paid to click service where members can make money online by completing surveys and viewing advertisements. A recent privacy breach led to details from more than 6.6 million ClixSense user accounts being offered up for sale, which also exposed the service's appalling information handling practices and lack of security controls to protect its users' personal data.

Information including passwords, email addresses, dates of birth, sex, first and last names, home addresses, IP addresses, account balances and payment histories were taken from a compromised database. The shocking thing is that the passwords were not hashed, but stored in plaintext, which is an inexcusable practice.

Whoever designed and built the ClixSense website and back end clearly had no understanding of even basic security best practices. It's, therefore, no surprise that ClixSense confirmed hackers had been able to completely compromise its servers, domain name system settings and email accounts.

It appears that the attackers were able to exploit an old server, which the company was no longer using, but still kept connected to the main network, to gain access to the central database. Although ClixSense was able to restore user balances and many account names, their business continuity plan clearly wasn't fit for this purpose, as one announcement on their site said, "We did not want to restore [account names] from our backup due to the amount of time it would have taken to get back online."

Personal information we share and entrust with online services is only secure if those sites and services fully understand information security and take it seriously.

Only organizations that fall under certain information protection acts or regulatory compliance requirements, such as the Payment Card Industry Data Security Standard, HIPAA, the Family Educational Rights and Privacy Act, the Sarbanes-Oxley Act and the Gramm-Leach-Bliley Act are actually subjected to regular audits to ensure that they are following industry best practices to protect sensitive information.

All other online services only have the threat of fines or lawsuits to motivate them to adequately protect customer data and to prevent system breaches and the compromise of personal information. This may be why many website designs focus mainly on appearance and ease of use, with security being implemented only if there's time, and if it doesn't compromise the first two objectives.

The proposed Personal Data Notification and Protection Act only requires the breached entity to notify affected individuals, with imposed fines for delays, but not for the privacy breach itself. It does, however, highlight the importance of encrypting sensitive data as, "a business entity is exempted from notice requirements if a risk assessment concludes that there is no reasonable risk of harm to the affected individuals."

No harm is presumed if the data has been processed by an industry standard technology that leaves it indecipherable or unusable. Heftier penalties are on the way though -- the European Parliament is proposing fines representing up to 5% of global turnover or €100 million, whichever is bigger, for a privacy breach.

While many businesses do their utmost to keep their users' information secure, the ClixSense debacle shows that security is often just an afterthought, particularly as security is rarely core to a business's processes or skill set. This is worth remembering when faced with a registration page that asks for a disproportionate amount of personal data compared to the service it offers, or that provides little assurance or information about how it keeps personal information secure.

Anyone who has an account with an online service that suffers a data breach should immediately change the passwords to their other online accounts if those passwords are in any way similar. People should also be wary of spam and phishing emails they may receive after a privacy breach, as the attackers will be able to use their stolen data to make the email content appear more realistic than usual.

Next Steps

Find out what new NIST password recommendations your enterprise should adopt

Learn how to reduce user risk in the face of major password breaches

Read about how Yahoo's dubious breach reporting kept it from informing users 

Dig Deeper on Data security and privacy