Royal Yachting Association Resets Passwords After Breach
The Royal Yachting Association (RYA) is forcing a password reset for all online users after warning some that their data may have been compromised by a third party.
The UK’s national body for all things nautical appears to have moved quickly in response to the discovery.
“We have recently become aware that an unauthorized party accessed and may have acquired a database created in 2015 containing personal data associated with a number of RYA user accounts. The affected information included email addresses and RYA website passwords which were encrypted and therefore not visible,” it explained.
“The affected information included name, email and hashed passwords — the majority held with the salted hash function, which is used to secure passwords. The affected data did not include any financial or payment information and in this stage in our investigation there is no evidence that this data has been misused — it was legacy test data and it appears that the unauthorized party who gained access to a hosted server subsequently deleted that database.”
Despite passwords being salted and hashed, the RYA is taking no chances and will require all web users to choose a new credential. It is also urging members to be on the lookout for potential phishing scams attempting to capitalize on the breach notification.
“Please note that any email from the RYA about this issue (subject: Important notification regarding RYA Account Security) does not contain attachments and does not request your personal data,” it clarified.
“If you receive an email about this issue which suggests you download an attachment, or asks you for information, the email was not sent by RYA and may be an attempt to steal your personal data.”
Several yachters took to an industry forum warning of such an attempt, until they were reassured that the breach notification email was genuine. Some expressed surprise at receiving the email as they aren’t RYA members, although their email address may have found its way onto the “test” database another way.
Source: Information Security Magazine