NASDAQ online message exchange robbed

Registered members of NASDAQ's community.nasdaq.com received an email from the financial firm stating their personal details may have been compromised.

The breach was discovered through "standard security monitoring." The company is still investigating the matter.  Hackers apparently accessed usernames, email addresses and passwords. The penetration did not affect NASDAQ's trading or commerce platforms, the firm claims.

Security observers speculated the servers running the NASDAQ community software had not been properly configured or updated with bug fixes, and this allowed hackers an open window to access sensitive information. Since the email didn’t mention whether or not passwords had been encrypted, observers inferred the site might have been storing the sensitive data in plain text.

Yahoo's finance blog, The Exchange, suggests, "Such lists can be compiled into software that speeds up the process of breaking into more secure sites that may contain valuable information."

Analyst Sean Sullivan wondered if the purpose of the breach hadn't been to steal the passwords, but to invade the site with a credential-stealing virus and use it as “a water hole attack.”

Context Information Security recently reported that water hole attacks are increasingly replacing spear-phishing as the weapon of choice. "You thought the Twitter, Facebook, Apple, Microsoft watering hole attack compromises via the iPhone Dev SDK forum was bad? Well," said Sullivan, "I think that would be nothing compared to the kind of damage that could be done via NASDAQ."