Long-time users of recipe-sharing website Allrecipes.com have recently been told that their accounts may have been breached. According to an email sent out by the food-based social networking site, users that registered before June 2013 may have been affected by a breach in which email addresses and passwords were compromised.
The email, part of which was posted by security blogger Graham Cluley, claimed that account information “may have been intercepted by an unauthorized third party”, but it didn’t indicate how the breach occurred or who was responsible. According to Allrecipes’s “best analysis”, the information was “intercepted during account registration or login.”
Allrecipes has advised users to change their passwords on its website and to make sure they don’t use their old passwords anywhere else.
A lack of transparency
Allrecipes’s users should be alarmed by the fact that the company only discovered the breach four years after it took place – thanks to a “security review of [its] business” – and they should be just as concerned about the company’s response after discovering it.
While the company did post an FAQ Notice of Data Breach page, it’s so well-hidden that, when reporting the story, Cluley reported that there was no such page.
This oversight was compounded by the fact that the company’s disclosure email to affected users neglected to include a link to the page. It only told users to go to the company’s website for more information – advice that is essentially useless given how hard it is to find that information.
The company also avoided discussing the breach on its Twitter page, only acknowledging it when questioned directly:
@Elke2304 Hello, We did send out an email this morning. Let me know if you have any questions.
— Allrecipes (@Allrecipes) April 18, 2017
The confusion over this breach has been exacerbated by the fact that, a month earlier, Allrecipes emailed some of its users recommending that they change their passwords. At the time, the company denied that there had been a data breach:
— Allrecipes (@Allrecipes) March 24, 2017
What sparked that recommendation remains a mystery, and, as Cluley writes, “plenty of questions remain about how this security breach may have happened, and Allrecipes’ response to it. But at the very least I would have been pleased to see them be more transparent with their users”.
To mitigate the threat of data breaches, organizations should have an effective information security management system (ISMS) in place, as described by the international standard ISO 27001.
ISO 27001 delivers the cybersecurity assurance you need, providing a risk-based approach to information security that addresses people, processes, and technology.
To help organizations achieve accredited registration to ISO 27001, IT Governance offers a range of ISO 27001 packaged consultancy solutions. Each caters to a different set of needs and is delivered with minimal disruption to business.