It's been about 18 months since I wrote this little post on horrible website password security. Unfortunately, I see that very little has changed, as evidenced by Universal Music's recent security breach that exposed their users' real names, email addresses, and passwords. Similar reports seem to surface every day now, such as late last week at the Washington Post and FBI contractor IRC Federal, though it's unclear if the latter two were as wildly irresponsible as Universal Music.
You might think that a company the size of Universal Music that has plenty of resources would be able to follow the simplest form of security and at least hash its passwords before storing them. You would be incorrect. And if you were unfortunate enough to have registered an account with Universal Music in the past, your information is now spread around for anyone to see and use. For the large number of users that re-use passwords from site to site, their login credentials to any number of other resources is now public information -- and they may not even know it.
[ Find out how to block the viruses, worms, and other malware that threaten your business, with hands-on advice from InfoWorld's expert contributors in InfoWorld's "Malware Deep Dive" PDF guide. ]
Also, I expect to see a bunch of highly targeted phishing attempts appearing quite soon -- after all, they can send you an email, use your real name, and (most important) reference a password that you've knowingly used. Forge the headers and include a link to a bogus site that appears legit, and I'll bet they'd get a boatload of information from unwitting users. Frankly, I wouldn't consider that to be their fault at all. It's Universal Music's fault, top to bottom.
At this point, a brief PR hit is the only thing a company of any size really has to worry about when this sort of thing happens. Sony has been hit with wave after wave of security breaches that have directly affected a huge number of its customers, but with no apparent consequences. Millions of its users have had their account information released into the wild, and some of that number will begin finding fraudulent transactions in their name -- or any of a variety of possible illegal uses of their information. There's nothing they can really do to prevent it, and I'm certain that a significant portion of them may not even know they were exposed.
Just like Sony and all the others, Universal Music just has to say "oops" and issue a brief press release noting, "Hey, you might want to change your passwords on other sites now. Oh, and carefully inspect each email you get since someone may hit you with a phishing scam." Then hope it all dies down in a day or two.