More user passwords dumped, this time from alleged Billabong.com hack

Hackers dumped another huge cache of stolen passwords, this time exposing what they said are as many 35,000 plaintext passcodes from the website of clothing maker Billabong International.

A post on CodePaste.net claimed 20,000 to 35,000 user names and corresponding passwords were retrieved in the hack of billabong.com. But the post included only 1,435 plaintext user credentials and didn't explain the discrepancy. Australia-based Billabong provides the accounts to customers to make frequent online purchasing more easy. The post also included what it claimed were user names and hashed passwords for MySQL accounts used to administer the site.

The post comes less than 24 hours after the discovery of a separate password dump that affected more than 453,000 accounts for Yahoo's Contributor Network (previously Associated Content). In both cases, web administrators appear to have stored the passwords in plaintext, a practice that's severely frowned upon in the security profession because it makes life much easier for hackers who gain a foothold into a vulnerable system. With only a little extra work, admins could have used Bcrypt or another modern cryptographic algorithm to scramble the passwords into one-way hashes that can't easily be reversed. The hashes may still be cracked, but if the process is done correctly, the protection buys hacked websites enough time to warn users before their plaintext passwords are circulated.