Not two weeks ago, LinkedIn made big data breach news when hackers claimed to have more than 100 million usernames and passwords up for sale.
Fortunately, the data wasn’t new, coming from a breach that happened four years ago.
What was new was the size of the list that was up for sale, nearly 20 times the size of the 6.5 million passwords that were reported to have been stolen back in June 2012.
The LinkedIn breach was made worse by the way the passwords were stored, using unsalted SHA-1 hashes.
What that means is that although LinkedIn didn’t keep your actual password, it didn’t do enough to secure it against a breach.
Not tough enough
LinkedIn simply computed a SHA-1 cryptographic hash of your password and stored the hash instead, so that anyone who chose PASSWORD, for example, would end up with a hash of 112b b791 3047 91dd cf69 2e29 fd5c f149 b35f ea37.
Even though attackers can’t use a mathematical algorithm to go backwards automatically from a hash to its input value, they can go forwards at enormous speed, trying out passwords from from a huge list by churning out their hashes one after the other.
Modestly-priced cracking servers (modest for nation-states and cybercriminal gangs, at least) can process hundreds of thousands of millions of SHA-1 calculations per second.
That’s fast enough to try out all possible 10-character upper case passwords in well under an hour.
Also, modern password cracking software doesn’t blindly go from AAAAAAAAAA to ZZZZZZZZZZ, but knows that PASSWORD is more likely than OSTEOPATH, which is in turn more likely than VNNQMVHZJL.
Current best practice is to “stretch” each password before storing it by hashing it repeatedly, typically thousands or tens of thousands of times, so that any sort of try ’em all attack takes correspondingly longer to pull off.
Worse still, hashing raw passwords directly means that as soon as one cracker knows that OSTEOPATH comes out as 075b 3a59 32b4 8df1 13e3 9ba4 df41 954b 2419 e705, he can tell everyone else, so that cracking a password for the second time is as simple as looking it up in a giant list of known hashes.
Current best practice is to generate a random “salt” (so called because it spices up the output) that is combined with the password before you start hashing, so that even identical passwords produce different outputs, and so every salt-plus-password combination has to be cracked independently.
MySpace’s turn
Well, it’s happened again.
This time, the breach is said to come from MySpace, and the number of passwords claimed is an eye-popping 427 million.
Apparently, there are only 360 million users on the list, but some accounts have more than one password listed, for reasons that aren’t explained.
Once again, the passwords allegedly exposed in this breach were simple, unsalted SHA-1 hashes, vulnerable to just the same sort of high-speed try ’em all attack as in the LinkedIn breach of 2012.
According to Leaked Source, lots of passwords have already been cracked, with the top 50 choices so far accounting for more than 6 million passwords, or 1.5% of the total.
Interestingly, password1, abc123 and the entirely-expected 123456 come in second, third and fourth respectively.
Top place is the unusual (but nevertheless easily-cracked) password homelesspa, attached to more than 850,000 accounts that Leaked Source suggests were created by some sort of automated process, presumably orchestrated by a gang of scammers to use for nefarious purposes.
Is it true?
Of course, password breach stories aren’t always all they seem to be.
We recently wrote about a claim that more than 250 million accounts were breached, allegedly belonging to users of services from Mail.ru (Russia’s most popular email provider), Google, Yahoo and Microsoft.
In the end, it looks as though the data in this breach was either so out-of-date as to be useless, or made up in the first place.
But journalists at Motherboard claim to have sent Leaked Source five email addresses of MySpace accounts to which they knew the passwords…
…and to have received the actual passwords back in return, implying that at least some of the leaked data is both genuine and current.
What to do?
- Change your password as soon as you suspect that an account may have been breached, either because the password was stolen from you, or because a hash of the password was stolen from the service provider and could be cracked. The sooner you change it, the shorter the window during which crooks can attack your account.
- Pick proper passwords. Even if a service provider doesn’t salt-hash-and-stretch your passwords properly, a strongly-chosen password will hold out against crackers longer than obvious choices such as dictionary words with digits tacked on the end.
- If you run an online service, store your users’ passwords securely. Your authentication database shouldn’t get breached in the first place, of course, but you should nevertheless make things much harder for crackers in case you do get breached.
- Patch early, patch often. If you’re a user, a patched system is less likely to be infected by malware that steals your passwords as you type them in; if you’re a service provider, a patched system is less likely to be penetrated by hackers looking for internal “trophy data” such as authentication databases.
- Consider using two-factor authentication (2FA) if it’s available. 2FA typically involves a one-time code that you use along with your password when you log in.
2FA codes might be sent to you via SMS, or generated by a dedicated app on your phone, and they’re different every time, so your password alone just isn’t enough to access the account.
Generally speaking, 2FA is a minor hassle to use, but a major obstacle for the crooks, so we recommend it.
Summer
Haven’t been on MySpace for ages….just tried to get in and couldn’t. So what do I do now? Also, does that mean I should change USER name on other websites if it is the same as the one I used on MySpace?
Paul Ducklin
It’s the password that matters. If you can’t get in, and you are sure you have the same email address…you might want to try a password reset, see if they email you, and then take whatever is your desired action.
If they don’t email you then you are, hmmm, not going to be sure whether you forgot your password, or used an old email address when you signed up for MySpace, or a crook managed to login and change everything for you. In that case, I don’t really know what to suggest on where to go next with MySpace.
Any readers have any experience/advice of/for dealing with MySpace over password recovery?
Summer
Also, I used to have a LinkedIn acct but deleted it probably a year or so ago. As such, I didn’t keep the password and can’t remember what it was. Am I still at risk for that one, too?
Paul Ducklin
You should be OK, but I am not sure what sorts of LinkedIn “account deletion” exist. I guess if you can no longer access your account at all, even to the “would you like to get your old data back” you can assume it has gone…hopefully for ever.
Mark
Good info – I hope we find out *how* they broke in
wrap2tyt
So, this would suggest that MySpace has at least that many users… who knew.
Paul Ducklin
360 million accounts (including the “homelesspa” ones)… at the time of the breach. We dont yet know when that was.
There goes my password
Any word from MySpace? Were they aware of the data breach when it occurred? Did they willfully choose to keep their users in the dark?
Cliff
I have a question about hashing and salting. I have access to a database at work that shows what I think are hashed and salted passwords. I have two test accounts and I used the same password for both; the password field in the records display completely different results. All “hashed” passwords in the db appear to be same length as displayed. So is that hashed and salted?
Paul Ducklin
Probably. FWIW, I prefer to say “salted-and-hashed”, because the salt comes first, to make the hash different even if the password’s the same.
(That’s “and” as in “and-then”, not “and’ as in the AND operator, which is commutative :-)
Mary M
I went to my old MySpace page and tried deleting/deactivating. It had no tool under settings to delete the account. I did change the password.
Laura M
I received an email from MySpace Legal talking about this, with a link to change my password. I want to make sure this is not some type of phishing email. The email went right to my Spam folder which is why I was a little iffy. So I Googled to see if this was legit.
Bryan
Good call. To paraphrase info gleaned in other articles here on NS related to phishing…
Rather than click any link in an unexpected email, use your browser to manually type the name of the domain you’re prompted to visit. If it’s a legitimate request you’ll see their request paraphrased as soon as you log in–now knowing you’re on the proper site. Using a prior bookmark is further insurance you haven’t landed on an evil site, and if you use a password manager, the remembered password won’t be a problem, because your PM won’t accidentally confuse “boa.example” with “boa.WeSpelldStealYourMoneyCorrictly.example” no matter how good the page looks.
Barry Horne
Apart from the obvious risk to existing users, it seems to me a big risk for ex-MySpace users is where they may have used the same password and email address for other accounts. Too often users adopt the same password and identity across platforms. Perhaps we should be insisting all platforms adopt multi-factor authentication.
Bryan
“Fortunately, the data wasn’t new, coming from a breach that happened four years ago.”
I speculate on how “fortunate” this might be (see the remainder of this sentence), but thanks for the reminder to delete my account.
hey–it’s just MySpace. :-)