Slashdot Mirror
Hacker Steals 45 Million Accounts From Hundreds of Car, Tech, Sports Forums (zdnet.com)
An anonymous reader quotes a report from ZDNet: A hacker has stolen tens of millions of accounts from over a thousand popular forums, which host popular car, tech, and sports communities. The stolen database contains close to 45 million records from 1,100 websites and forums hosted by VerticalScope, a Toronto-based media company with dozens of major properties, including forums and sites run by AutoGuide.com, PetGuide.com, and TopHosts.com. "We are aware of the possible issue and our internal security team has been investigating and will be collecting information to provide to the appropriate law enforcement agencies," said Jerry Orban, vice-president of corporate development, in an email. In a sample given to ZDNet, the database shows email addresses, passwords that were hashed and salted passwords with MD5 (an algorithm that nowadays is easy to crack), as well as a user's IP address (which in some cases can determine location), and the site that the record was taken from. LeakedSource, which confirmed the findings, said in its blog post that it was "likely that VerticalScope stored all of their data on interconnected or even the same servers as there is no other way to explain a theft on such a large scale." A LeakedSource group member said it was "not related" to the recent hacks against MySpace, LinkedIn, and Tumblr. The report goes on to say: "A cursory search of the list of domains caught up in the hack revealed that none of the sites [ZDNet] checked offered basic HTTPS website encryption, which would prevent usernames and passwords from being intercepted."
At least with proper use of salts, each password hash will have to be individually bruteforced. While single MD5 hashed password is trivial to break, 45 million are not.
Now, if you are designing password storage in 2016, there is no excuse not to use proper key stretching function, like scrypt.
mmm....could be. https://www.youtube.com/watch?...
For all my friends who bitch at me about the fact that I don't give accurate personal information when creating forum accounts (on the very rare occasions I bother to do so), now you know why. Go ahead, tell me again how I am paranoid and how unfair it is to the forum operators.
You're not paranoid, you're an evil oppressor. Don't you know? Information Wants to Be Free! Information has been held back by the (hu)man for far too long. You're to information like the RIAA to music, the MPAA to movies, English to the Irish, men to women, the white man to the native americans, vegans to vegetables, penicillin to bacteria. Nay, you're worse. information is helpless and cannot even fight back in the least. You should hang your head in shame. ;-)
For sites like Slashdot, fark, ars, etc al I not only use the same login, I use the same password. Why would I care? Wanna post on /. how Win10 is The Greatest and Microsoft Rulz cuz of it's asinine attempts to force you to "upgrade"? Don't care, I'll get over it. Wanna post a nekkid pic on Fark that gets me banned? Don't care, I'll make another account.
Now, sites that I use a credit card for, or that hold money/stocks, those are a different story. Different user names, different passwords, all kept track of via Keepass.
This is why it is so critical we maintain textual information about what life was like before Republicans.
Not that I'm' a Republican (or a Democrat)... But the Republican party was founded in 1854 (by anti-slavery Whigs) with the primary goal of abolishing slavery. So prior to the Republicans, the US had slavery. Abraham Lincoln was the first Republican president.
In 1878 A.A. Sargent, a Republican, introduced the 19th amendment, it was voted down by the Democrat controlled congress. It wasn't until 1919 that the Republicans controlled both the house and senate that they passed it, still under the opposition of the democrat party. Including the president at the time, which the suffragettes referred to as "Kaiser Wilson."
Before Jeanette Rankin, a Republican, in 1916 no woman had been elected to the house of representatives.
During his time as as the military governor of Germany after WWII, Dwight Eisenhower realized the value of the German highway system. When he became president, he signed the Federal-Aid Highway Act into law in 1956.
Eisenhower signed the Civil Rights act of 1960 into law after a five day filibusterer by several democrats in the senate.
Many credit Ronald Regan with the collapse of the Soviet Union. Depending on your point of view, this may not be a good thing.
In 2001 Colin Powell became the first black secretary of state. Followed by Condoleezza Rice in 2005 who became the first black women to hold that position.
Yep, the world was a much rosier place before the existence of the Republicans.
Yeah the summary seems a bit confused. It says "salted passwords with MD5 (an algorithm that nowadays is easy to crack)". If they are properly salted, they aren't easy to to crack. Depending on the hardware, the salted MD5 hash of a 10-character password should take roughly a year to crack.
UNsalted, many passwords will crack almost instantly by use of MD5 rainbow tables, and an attacker can attack all of them in parallel. The 8-character salt used by default with MD5 and crypt() means each entry has to be attacked individually, one at a time.
On a related note, here's how to get SHA256 salted hashes on a Linux system:
crypt(PASSWORD, '$5$' . SALT . '$')
In MySQL it's called ENCRYPT():
ENCRYPT(?, CONCAT('$5$', ?, '$'))
execute(password, randomsalt)
Enclosing the salt in $5$...$ causes crypt() to use sha256.
The big concern is that people may have used the same user name / password combination on other systems.
I looked up my email address on that leakedsource.com and they found 2 hits in one hack and 1 hit in a few other hacks. Of course they only tell you what website got hacked. Any info other than that till you subscribe ($4 a day).
Sucks. i searched for a few strings before i got a hit so I feel that it may be legitimate. I am seriously considering paying the money. utorrent, anandtech, and this verticlescope thing. Some had plain text passwords! and sometimes i have in the past reused passwords... nasty!
looked up some friends emails and work colleagues and found hits for almost all of them.
Looked up my work domain and found hundreds of hits. Going to probably do it just to warn my co workers now.
-
All of them. I haven't got the email warnings yet, but both of the forums that I subscribe to there have a new boilerplate message about upcoming password changes... without mentioning why. Unsubscribing to the forums is damn near impossible; something that I just learned. The only way that your account can be closed is if you prove too damn obnoxious. But the sites are run from Canada. Being obnoxious can be difficult there. BTW, my corresponding email _was_ hacked within the last week. Barn door left open since February; too late. So I'll have to close that account.
Now before all of the smarmy IT "Professionals" start going on about Password "Security"; note that no Password Ninja broke into my house and stole the keyboard sticky. IT "Professionals" need to understand that these breaches are _their_ fault. _They_ can't secure their systems. They can't even be bothered to warn us in a timely manner about their screwups. So Screw them.
You are correct. It is becoming more clear that having similar or reusing passwords is really stupid bad.
Also, writing passwords down (because now instead of four, there are 45) will have to be the new norm.
Back when people had ONE business password and it let them get in payroll it was bad to have them written down, because it was right where it would do some damage. Now that the average person has Google, email, a forum or two, Facebook or other social media, online banking, store credit card account, Amazon, maybe other online shopping... now a self-managed list written down or on a phone is the way to go.
Give them some credit, they did gratuitously check for TLS on some of the sites and threw that for free into the report.
This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
First MD5 is NOT broke for this purpose and offers no meaningful disadvantage to other hash algorithms.
Salts and key stretching only make it n-times more expensive to brute force plaintext. While this sounds good even if n is measured in the millions and really does require attackers to expend more resources to accomplish the same result these expenditures amount to an unresolvable spec of dust compared to having a secret with sufficient entropy... a luxury that does not exist in the real world.
There are two major problems with the way industry in general is handling passwords and authentication.
1. Reliance on hashes as a good enough solution rather than protecting password stores with reversible encryption preferably by a split system where keys are only in the possession of an authenticator whose one and only job is to assert identity to applications. It is tractable to secure a low complexity single purpose system while virtually impossible to protect your typical infinitely complex and often poorly designed web stack. The problem with hashes is people don't use good enough passwords to survive offline attack regardless of salt + amplification bullshit everyone throws around as a "solution". Just ignoring this basic fact or thinking your going to force people to use better passwords is a proven delusion with a long long history of total failure.
2. Encrypting the channel and sending plaintext over it is stupidity of the highest order. What we need are authentication protocols that don't suck and by that I mean allow mutual proof of possession and binding proof to encrypted session without leaking shit that enables brute force attack in the progress. We don't need new CHAP schemes upgraded with latest and greatest SHA-Infinity or Kerberos or houses of cards the size of the earth a hundred times over (PKI). We don't need the world thinking it is OK enter credentials into random web forms.
There are numerous so called "zero knowledge" systems that do exactly this. To this day exactly none of them are supported by any major browser despite patches languishing in the projects ticketing system and despite all of the supporting infrastructure in terms of standards and baked in support by major encryption libraries.
We are doing it wrong and much of the popular dogma I'm hearing on how to do it right is also wrong.
If they are properly salted, they aren't easy to to crack.
Compared to what?
Depending on the hardware, the salted MD5 hash of a 10-character password should take roughly a year to crack.
So with 45 million accounts it should take a million years to get the first million passwords... is this what I am supposed to believe?
How is enforcing complex passwords sufficient to stave off today and tomorrows computers going? Is it working? Do humans accept passwords with sufficient entropy to survive brute force attack by dedicated cracking hardware and botnets with hundreds of thousands to millions of nodes?
UNsalted, many passwords will crack almost instantly by use of MD5 rainbow tables, and an attacker can attack all of them in parallel. The 8-character salt used by default with MD5 and crypt() means each entry has to be attacked individually, one at a time.
So what if the cracking isn't free? People were having quite a lot of success before rainbow tables ever existed on hardware thousands of times less capable than what we have today. What is the actual effect of this in the real world?
On a related note, here's how to get SHA256 salted hashes on a Linux system:
crypt(PASSWORD, '$5$' . SALT . '$')
In MySQL it's called ENCRYPT():
ENCRYPT(?, CONCAT('$5$', ?, '$'))
execute(password, randomsalt)
Enclosing the salt in $5$...$ causes crypt() to use sha256.
All this accomplishes is repeating the same failures again and again and again and again.
Yes, modern hashes, salted, work extremely well. This is based on my experience writing software which has handled hundreds of millions of login attempts over the last fifteen years. Here's an MD5 slated hash of own of my passwords which the bas guys which very much like to crack.
$1$bCF1UNu$pRbc6HKD.d8fyv7ABC1ML
Have fun trying.
Yes, modern hashes, salted, work extremely well.
Current state of the art if you have been following dogma is to include key stretching based on algorithms such as scrypt intentionally designed to be costly to run on massively parallel commodity hardware. You don't even bother with this which puts you at an extreme disadvantage.
It isn't that salting or key stretching is in any way bad or not worth doing. It is the checking of the box and then falling asleep thinking you solved something when in fact you have done no such thing that is the issue at hand.
These things in practice are worthless against any sizable password cache of any worth.
This is based on my experience writing software which has handled hundreds of millions of login attempts over the last fifteen years.
Exactly this kind of Hubris is what is going to get everyone hacked. You have demonstrated by your "Life Lock" play you don't even understand the problem. It isn't about *YOUR* password it is about everyone else's. If you think passwords can be meaningfully protected by this crap you are dangerous mistaken.