EH-Net was compromised a few months back, and we are asking all members to immediately change their passwords. Although we do not hold any sensitive data such as social security numbers, credit card numbers, date of birth, etc., we still realize that, although it is not recommended, some members may use the same password for social sites such as our as they do for more personally sensitive sites. If this is the case, please immediately change those passwords, too, and make both follow complexity guidelines.
We apologize for the late notification, but while we were in the process of cleaning the mess, we did not want the attackers to be notified. Our intention was to prevent multiple notifications and required actions by our members. Although we feel very comfortable in the status of the site and had planned on notifying all members, someone beat us to the punch. http://www.milw0rm.com/papers/297. We are providing this link, so that our members can see that a select few accounts and their passwords have been released to the public. We do not know how many more they have or will make public. This makes it even more urgent to change your passwords.
We apologize for any inconvenience this has caused. Although many other sites have experienced the same issues, and we are clearly a target based on the content of the site, this in no way excuses us for this incident.
Donald C. Donzal
The Ethical Hacker Network"
EH-Net staff waited over eight months to let members know about the compromise? According to the milw0rm release, the compromise occurred before "Jul 16 18:05:29 CEST". I got a notice today (Feb 28, 2009) about the compromise. This means that members of EH-Net or registrants for ChicagoCon may have had their account information in the hands of black hats for 8 moths. Forum and conference registrants trusted EH-Net to keep their account details secure (it is a security organization after all). At the very least they should have known about the compromise as soon as it happened so they could be given the opportunity to change passwords shared with other accounts. Instead they're notified almost a year after the fact. This sort of scenario is *exactly* why so many states have passed mandatory notification laws - to protect consumers from circumstances where trusted vendors lose their information but don't notify the customers.