A Los Angeles publisher of online lifestyle and entertainment magazines has inadvertently exposed the personal e-mail addresses and passwords for hundreds of its subscribers, InformationWeek has learned.
The victims are all members of sites operated by Splash Magazines Worldwide, which publishes local versions of its magazines under URLs like NYCSplash.com and LASplash.com.
The list of e-mail addresses and passwords for members' Gmail, Hotmail, Yahoo, and other accounts would turn up in the results of unrelated Google searches Monday if those searches happened to contain at least two keywords that matched the names of Splash members. InformationWeek confirmed that the security hole was still open as of 4 p.m. Monday.
Splash founder Larry Davis said in an interview that he was not aware of the security problem and did not know how it could have occurred. "We have a Webmaster who is supposed to know all about security," said Davis.
Splash's servers are co-located at a Los Angeles Internet hosting company called Calpop. However, Calpop co-founder Lynn Hoover said his company simply rents floor space and bandwidth to Splash and is not involved with the maintenance or operation of its Web sites. "It's not like our people code their software," said Hoover. "Having said that, we'll try and help out with the situation if we can."
Hoover theorizes that the information could have been inadvertently exposed to the Web if the Google search spider happened to be crawling Splash's sites at a time when password-protected pages were open for editing or maintenance. Versions of the pages held in Google's cache would then be readily available to anyone with Internet access -- including identity thieves.
Understandably, some Splash members are now worried they're going to get soaked by cybercriminals. "I'm composing an angry e-mail in my head to Splash right now," said Liz Miller, an L.A. graphic artist and writer whose Gmail account and password were revealed online. "It reinforces the fact that you really need to know who you're dealing with before you provide passwords over the Internet," said Miller, who changed her Gmail password after being informed of the problem by InformationWeek.
Security breaches have become a not uncommon event on the Internet, and even major retailers like Amazon and T.J. Maxx have been the victim of hacks or accidental data exposure. The rash of online security problems has prompted some states to require companies to notify customers if their personal information has been compromised and to provide free credit monitoring services.