Instapaper Stolen

by Christopher Paul on June 23, 2011

Sorry for the link-baiting but if “reputable” websites can do it, I think I’m entitled every now and then, too. Don’t be too upset.

Moving right along…

Marco Arment commenting on the recent FBI raid that took down several blogs, websites, and apps — including Instapaper.

“Possibly most importantly, though, the FBI is now presumably in possession of a complete copy of the Instapaper database as it stood on Tuesday morning, including the complete list of users and any non-deleted bookmarks. (“Archived” bookmarks are not deleted. “Deleted” bookmarks are hard-deleted out of the database immediately.)

Instapaper stores only salted SHA-1 hashes of passwords, so those are relatively safe. But email addresses are stored in the clear, as is the saved content of each bookmark saved by the bookmarklet.

The server also contained a complete copy of the Instapaper website codebase, but not the codebase of the iOS app.”

That middle paragraph is important. At least we can be assured that the passwords are relatively safe. Marco also mentions that Twitter, Facebook, and other services OAuth keys are stored but not user passwords. Pinboards passwords are encrypted but the keys are easily accessible.

This is the quote that stood out the most to me, though (emphasis added):

Due to the police culture in the United States, especially at the federal level, I don’t expect to ever get an explanation for this, have the server or its data returned, or be reimbursed for the damage they have illegally caused.”

If I was a developer, I’d think long and hard before hosting any user information on a server in the US. My little site affects only me — but Marco’s livelihood is in his code and reputation. Why risk that with careless or overzealous federal raids?

The FBI stole an Instapaper server in an unrelated raid — Instapaper Blog via The Brooks Review

Previous post:

Next post: