Recently acquired German social network StudiVZ has had a number of security issues over recent months.
In an interview today (Jan 10) with German weekly Manager Magazin, Holtzbrinck Networks CEO Konstantin Urban said:
StudiVZ is a company that has grown extremely fast in recent years, has billions of pageviews, and has a need for massive server capacity. It’s not surprising that there were some technical problems during the time after the company got started.
Of course things had to be revamped, and StudiVZ has done just that. Data security has been established. A short while ago, Chaos Computer Club tried unsuccessfully to hack the system. The site is stable now. …
Well, as for the security part of what he said, someone must have disagreed.
The official StudiVZ company blog, which is run on Wordpress, has been hacked. At 12.00am, Thursday morning German time, the following message appeared:
Dear StudiVZ folks,
The new official owner of your personal data, Konstantin Urban of Holtzbrinck Ventures, seems to know as much about data security as the wanna-bes whom you have entrusted so many details about yourselves in the past: nothing. He impertinently claims Chaos Computer Club has “unsuccessfully attempted to hack the system” and therefore everything is really secure now.
“Of course things had to be revamped, and StudiVZ has done just that. Data security has been established. A short while ago, Chaos Computer Club tried unsuccessfully to hack the system. The site is stable now.”
Unfortunately, that is completely wrong.
Chaos Computer Club does not participate in these types of “Why don’t you try to hack us?” gimmicks such as the contest announced by Studivz. Regrettably it sometimes happens that some morons claim to act “on behalf of CCC,” as may have happened in this case. However, this has nothing to do with Chaos Computer Club.
Chaos Computer Club is currently dealing with matters of greater importance, e.g. the lost trust in voting computers, the dangers of biometric passports, and the fight against total surveillance from data retention in telecommunications. Maybe you, too, have better things to do than to voluntarily throw your data at a profit-oriented collecting society, and you take care of your own life, the world outside, and the real problems of mankind.
This is a machine-generated message in the interest of public security. It is valid without a signature.
Whoever is behind this message, at least we know they have a sense of humor.
The posting has been taken down (the entire blog has been offline for the past three hours), though screenshots are already available elsewhere.
Some bloggers speculate that this exploit was may have been used in the attack.
Over at the Blogbar, someone in the comments asks whether the attacker was able to access and change the admin password, knock on the doors of other databases, create dumps, manipulate data etc.
I guess we will find out soon.
Mistakes happen. And I’m usually all for cutting young startups some slack when something gets screwed up (and they do everything they can to fix it). But man, has this been a long series of security mishaps at StudiVZ.