EDIT 2: It seems that I have confused the "encryption" with normal hashing. So this comment is invalid if they are doing encryption properly.
I wonder how hard it is to brute-force the credit card numbers. Given the last 4 digits, the Luhn algorithm and the starting digit of common cards (e.g. 4 for Visa), there are essentially only 10 digits left to crack. That's just 10 billion combinations.
As part of the source code is exposed, most likely the encryption algorithm/sequence is already known. If the passphrase is shared among all credit cards and the encryption algorithm is a fast one, there's a fair chance that eventually these credit cards are going to be exposed all at once.
Or am I missing anything?
EDIT: Even if the encryption algorithm is as slow as 10,000 tries per second, exhaustively attempting every single credit card number possible is going to take 277 CPU-hours, or about a day in three quad-core machines.
If they used encryption properly (random or unique IV depending on cipher mode of operation), you can't bruteforce credit card numbers (encrypted content), you can only try to bruteforce the key used for encryption.
I wonder how hard it is to brute-force the credit card numbers. Given the last 4 digits, the Luhn algorithm and the starting digit of common cards (e.g. 4 for Visa), there are essentially only 10 digits left to crack. That's just 10 billion combinations.
As part of the source code is exposed, most likely the encryption algorithm/sequence is already known. If the passphrase is shared among all credit cards and the encryption algorithm is a fast one, there's a fair chance that eventually these credit cards are going to be exposed all at once.
Or am I missing anything?
EDIT: Even if the encryption algorithm is as slow as 10,000 tries per second, exhaustively attempting every single credit card number possible is going to take 277 CPU-hours, or about a day in three quad-core machines.