Slashdot Mirror

← Back to Stories (view on slashdot.org)

Password Re-user? Get Ready to Get Busy (krebsonsecurity.com)

Posted by msmash on from the security-measures dept.

Security reporter Brian Krebs writes: In the wake of megabreaches at some of the Internet's most-recognized destinations, don't be surprised if you receive password reset requests from numerous companies that didn't experience a breach: Some big name companies -- including Facebook and Netflix -- are in the habit of combing through huge data leak troves for credentials that match those of their customers and then forcing a password reset for those users. Netflix.com, for example, sent out a notification late last week to users who made the mistake of re-using their Netflix password at Linkedin, Tumblr or MySpace. All of three of those breaches are years old, but the scope of the intrusions (more than a half billion usernames and passwords leaked in total) only became apparent recently when the credentials were posted online at various sites and services.

4 of 119 comments (clear)

  1. Re:How do they know they are the same? by OzPeter · · Score: 4, Informative

    Surely everyone is hashing the passwords, using different salt etc?

    Bwhahahahahahaha You're assuming that these companies have good security practices. How do you think they got hacked in the first place?

    --
    I am Slashdot. Are you Slashdot as well?
  2. Re:How do they know they are the same? by Anonymous Coward · · Score: 5, Informative

    Surely everyone is hashing the passwords, using different salt etc? Obtaining a dump of encrypted data is pretty useless you have the resources to brute-force them.

    The password lists aren't encrypted. They are in the form of: login_id:password (ie: bob@example.com:example)

    What Netflix, et. el. are doing is taking the list, noticing that they have a user with the same login_id (bob@example.com), and taking the password (example) and hashing it in the same way that their authenticator does. If the hashes match, then they send the user an email saying "Reset your password"

  3. Re:How do they know they are the same? by Anubis+IV · · Score: 4, Informative

    At least in the case of the MySpace and LinkedIn leaks, the passwords themselves were posted online, so it'd be fairly trivial for Netflix et al. to run the lists through their hashing algorithm and see if it gets any hits against their users.

    LinkedIn was employing a fast hashing algorithm with no salt back in 2012 when their database was stolen. Which is about one step better than plaintext, given that an attacker can hit it at full speed and can crack them en masse because of the lack of salt.

    MySpace apparently began employing doubled-salted hashes in 2013, but the login credentials that leaked were ones that hadn't been used past that time, so MySpace hadn't been able to update them to be more secure since it sounds like they were employing simple hashing prior to that.

    As for Tumblr, they said they employed hash+salt on the database that was leaked, so it should indeed take awhile before anything besides commonly-used passwords start showing up from it.

  4. Re:Finally security done the right way by Anonymous Coward · · Score: 2, Informative

    Easy enough to find out. Check your email at haveibeenpwned.com
    It will tell you what breaches have contained your email