You may have to be over the age of 30 to remember it, but Lycos used to be a recognizable name in the days of the first, much slower, version of the internet.

The ‘Web 1.0’ as some fondly remember it, was crowded by companies trying to become the next big search engine. Those who gained traction expanded massively thanks to the dotcom boom.
Also making the internet ‘dark ages’ nostalgia list are companies like Yahoo, AOL, and Ask Jeeves. Many of these types of corporations failed to keep up with the likes of Google and cease to exist today. Others however, continue to cling onto existence in some form or another.
Wandera’s threat detection team has discovered that former internet giant Lycos, the first internet search engine to ever go public, is not only still around, but it’s also leaking end user data.
Read the full Lycos Threat Advisory

Lycos: The Company

Back in its heyday, Lycos was one of the best-known search engines. In 1996 it was the fastest company to ever IPO (with an initial $300 million valuation), making it the first profitable internet business in the world. This transformed it from a search engine to a global digital media company.
Lycos subsequently acquired a number of smaller companies including Gamesville, WhoWhere, Wired News, and Angelfire in order to build its media portfolio. For a while, this seemed to be working for them.
Unfortunately, Lycos made a rather spectacular fall from grace when they couldn’t keep up with the likes of Yahoo and Google. Its business became fragmented and numerous changes in ownership left it almost unrecognizable.
The company does however, still exist today. It continues to provide important consumer services from news, to domains, to weather. One of the most popular products it offers is webmail.

Lycos Mail

When you think of Lycos Mail, you probably picture some ancient, ridiculously slow, ugly e-mail portal, but you’d be incorrect.
While it may not be the most advanced system on the market, it offers users a no-fuss, easy to use webmail service with 3GB of online storage. Lycos Mail enables large file sharing as well as providing an intelligent spam filter.
The Lycos Mail website obtains over 650,000 visits per day. According to Wandera’s findings, many global corporations have employees that still use the webmail service frequently.
What these users don’t realize is that everytime they login to their Lycos mail service, their usernames and passwords are being leaked.

The vulnerability

The threat research team at Wandera, with the help of the mobile intelligence engine MI:RIAM, has discovered this problematic data leak occurring during the login process of the service.
The vulnerability occurs due to the transfer of users’ information by Lycos through the unencrypted and insecure HTTP channel. This means that the information is in plaintext format as it travels over the internet, meaning any tech-savvy third party can easily access it.

Is this really a big deal?

The implications of this leak may first seem insignificant. After all, it’s just usernames and passwords being put at risk. It’s not like the app is leaking credit card numbers.
Unfortunately, this vulnerability has implications that extend far beyond the initial credential leak. Once a hacker has access to your e-mail account, they immediately hold the master key to all accounts you have linked to that e-mail.
Think about the number of services you’ve provided your e-mail address to. The list likely includes the majority of your social media accounts, maybe even your bank account. The reason you provide your e-mail to these services in many cases is as a backup to have the ability to reset your password.
If a hacker can infiltrate your webmail service they can gain access to any number of accounts. This dramatically increases the risk of identity or even monetary theft for users of Lycos Mail.
This doesn’t touch on the fact that users, in order to make their lives easier, tend to use the same (or similar) usernames and passwords for multiple accounts. No one wants to have to remember three different versions of passwords containing the required two numbers and one symbol.
The problem here is that once a password is stolen, in moments, a hacker can test that password (and variations of that password) on all other accounts with the same username. There are simple applications the bad guys can use that can carry this social engineering for multiple usernames at once.
Suddenly, this one seemingly small data leak becomes a threat to all online aspects of users’ lives.

What can be done?

This is a great example of how users cannot rely on any company, even the large and recognizable ones, to protect them against data leaks. We’ve seen countless examples of this over the years and it’s becoming increasingly clear that individuals must perform their own due diligence to ensure they are protected against security threats.
There are fairly simple things users can do to protect themselves against this kind of attack. First of all, users should avoid connecting to public Wi-Fi hotspots when signing into sensitive accounts on their devices (i.e. where they are entering usernames and passwords). This increases the risk that the traffic will be intercepted.
Second, users should avoid using the same or similar passwords for multiple online accounts. This makes the hacker’s job easy, and increases the risk of more than one of your accounts being compromised. Choose complex passwords that don’t resemble one another.
Third, an active mobile security service on your device can both monitor and protect against data leaks like this one, preventing your information from getting into the wrong hands. It’s important that the service doesn’t only monitor app activity, but also extends to the mobile browser.
Read the full Lycos Threat Advisory

What about Lycos?

In order to keep its users safe, Lycos must make the relatively simple fix of adopting HTTPS instead of HTTP, enabling encryption for its webpage.
Additionally, the developers of the Lycos website are advised to utilize SSL/TLS in order to protect the transmission of personally identifiable user information, session tokens, or other sensitive data to a backend API or web service.

Responsible disclosure

We attempted to contact Lycos on three separate occasions over the course of 30 days to inform its security team of the data leak.
We received confirmations of receipt of our e-mails but no other response.
[text-blocks id=”threat-advisories”]