On Tuesday, the FBI seized a number of servers from DigitalOne, a Swiss hosting company that leases blade servers from a Virginia datacenter. The FBI had a warrant for only one particular server, used by a fraudulent “scareware” distributor, but the FBI ended up taking a lot more servers than the one they were actually looking for, knocking several web sites offline in the process… and making off with nearly all of popular offline reading platform Instapaper‘s user data, some of its codebase and some password encryption keys in the process.
Instapaper developer Marco Arment says that even though he had backups in place that prevented the Instapaper service from going offline entirely, by making off with the Instapaper server, the FBI has “illegal possession of nearly all of Instapaper’s data and a moderate portion of its codebase.”
That data includes a complete list of users, all of their email addresses, any non-deleted bookmarks, and salted SHA-1 hashes of passwords (which should be relatively safe, according to Arment). If you use Pinboard with Instapaper, though, your plaintext username and encrypted password is now in the hands of the FBI… and the encryption key is also with them, courtesy of the Instapaper source code.
Worse? It doesn’t look likely that Instapaper will ever get any of this information back, at least from where Arment is sitting.
Given the massive attacks of hacker groups over the last couple of weeks, it seems ironic that the FBI is the latest group to compromise users security. Depending on how distrustful of the government you are, you may feel very safe that the FBI has your Instapaper data, or very, very nervous.
Either way, if you use your Instapaper logins at any other sites, now might be the time to change them. Given the number of hacking attacks in recent months, it just makes sense to minimize your vulnerability and use different passwords and logins at different sites.