Online comic store ComiXology has warned of an unauthorised access of a database that contained user details, and rolled out a complete password reset.
In an email, ComiXology said that in the course of a recent review and upgrade of its security infrastructure, it determined that an “unauthorised individual accessed a database of ours that contained usernames, email addresses and cryptographically protected passwords”.
It said that even though it stores passwords in protected form, as a precautionary measure it was requiring all users to change their passwords. “We have taken additional steps to strengthen our security procedures and systems, and we will continue to implement improvements on an ongoing basis,” it said.
However, the complete reset seemed to cause issues for the website as users complained about slow loading pages, and the reset page timing out.
Malwarebytes security researcher Christopher Boyd said that while it may seem a bit all encompassing to reset the entire userbase, it is possible at this stage they are still evaluating how many users have been affected. “With that in mind, people’s frustration over not being able to reset due to timeouts will probably be alleviated by the knowledge that their accounts are being kept safe.”
He was also critical of the decision to send out emails with a clickable link in it, when Comixology told users that they will never send out mails asking for personal information or direct you to sites asking you to provide personal information.
Boyd said: “Thankfully in this case, clicking the initial link only takes you to a page asking for an email address to send the reset mail to – no passwords (that comes later, with the second email which is user initiated). However, it’s something I’d suggest companies avoid doing if possible.”