OP links to a copy of the email I received this morning.

Yet another company with a far too relaxed approach to security. What bothers me though is that they discovered this 2 weeks ago and I'm only hearing about it now.

The blog post they link to is dated April 5th: http://blog.musicbrainz.org/?p=1844

>Yet another company with a far too relaxed approach to security

What Data Was Leaked? bcrypt password hashes, with a cost parameter of 8, for all accounts as of March 25th 2013.

Wait, this is fine, isn't it? They did the right thing.

The salt is included in the serialized form of the bcrypt hash, so yes they were leaked. Secrecy isn't their purpose.

Salts are considered public in terms of if they are leaked it's not damaging in and of itself. The entire purpose of them is to prevent people with the same password having the same password hash. Now if the salt was your name or something that's a different problem.

> The entire purpose of them is to prevent people with the same password having the same password hash.

... which helps prevent against the use of existing rainbow tables, as the hash from site A won't be the same as site B, even if the underlying password is the same.

Hi, I'm the guy who's pretty much responsible for all of this, but I just wanted to clarify a few things.

> Yet another company with a far too relaxed approach to security

I don't think we have a relaxed approach to security, we do our best to take it as seriously as possible. Sadly, we have only 3 programmers, a large legacy code base and generally insufficient resources. As we provide public data dumps anyway, it's unfortunate that mistakes can become as magnified as this one, but it did happen. It's not a reason this should of happened, and nor is it meant to be an excuse, but I don't think many people are aware of this.

> What bothers me though is that they discovered this 2 weeks ago and I'm only hearing about it now.

Yes, I've worked night and day to try and get the work necessary to even sand these emails out for the past fortnight. We've never had to do mass mailing like this, so we simply don't have the infrastructure to send the emails. Again, it's not really a reasonable explanation, but that's why it happened.

Hi there, thanks for taking the time to reply. I appreciate the effort involved and apologise for my harsh words - I've just been a little frustrated as it's getting to be a weekly occurrence that some company loses my data / password / credit card details.

Amen, I'd like to push the blame on the fact that we still even have to deal with passwords and stuff in this day and age, but that's hardly putting a better suggestion forward :(

LOL... mandatory=1 in the url? What happens if you set it to 0?

haha who knows..

Their site in general is pretty dumb. I logged in and deleted my account but it didn't log me out, it just changed my name to 'Deleted Editor #XXXXXX' - I can still edit all the account details.

Hi, we do have a public bug tracker and you could have reported this. I've filed a ticket at http://tickets.musicbrainz.org/browse/MBS-6166.

It's just a flag which adds some explanatory text on the page, rather than displaying the regular 'customer requests change of password' page.

Is there a service where I could indicate which websites I'm using, and that would warn immediately me if one of them is compromised?

I'd rather have a single, reliable source of information for this. Also I'd like to see the history of each service before I sign up.

I used to use MusicBrainz to sort out mp3 tags, it was pretty awesome back in the day. I don't really have that problem anymore.

Mine has a date! http://pastebin.com/dzRqSgGj