More plaintext passwords leaked, nearly 100 MILLION of them!

Russian site Rambler, a popular web portal and free email service, is the latest company to be named in a data breach notification.

Rambler didn’t publish the notification itself: it comes from serial breach-pimping website LeakedSource, which has recently outed several old breaches, including dumping cracked passwords.

Recent data breach articles by LeakedSource mention VerticalScope, MySpace, last.fm and others.

Early indications are that the breach in this case really did happen, that it really was huge, and that at least some of the password data recovered really is correct.

According to LeakedSource, the data in this case was hacked out of Rambler way back on 17 February 2012, when 98,167,935 records were stolen.

But that’s not the worst part: the data sent to LeakedSource included a plaintext password for every account on the list.

Strictly speaking, that doesn’t prove outright that the passwords were originally stored (and thus stolen) in plaintext form.

After all, faced with weakly-hashed passwords, a determined cracker with lots of processors and loads of electricity might just have been able to crack tens of millions of password hashes in four-and-a-half years.

But we think that’s unlikely: even with a list of plain, unsalted, unstretched MD5 hashes, we’re betting that there were a fair number of well-chosen passwords that simply wouldn’t have been cracked yet.

We’re also can’t quite see why even a keen attacker would keep on cracking away at accounts for all that time, once the low and medium hanging fruit in the list had already been cracked and used – especially if the end game was to dump the list publicly.

We’re ready to assume that Rambler, at least back in 2012, was storing its users passwords in plaintext, so that in the event of a breach of the authentication database, hackers would need to put in precisely zero extra effort to “crack” the recovered passwords.

Interestingly, close to two-thirds of the passwords in the Top Fifty dumped by LeakedSource consist of digits only, in obvious patterns.

Let’s hope both that Rambler has started storing passwords more securely since 2012, and that its users have started choosing more wisely, too.

What to do?

• Change your Rambler password if it hasn’t been reset already. Even if weren’t using Rambler back in 2012, or have changed your password since then, you may as well change it again anyway. Because the breach in 2012 wasn’t disclosed back then, you should assume that it wasn’t noticed, so the security hole used may have remained open for some time.
• Learn how to pick a proper password. Even in world with password salting-and-hashing, and a world without breaches, 123456 is always going to be too easy for a crook to guess. If you struggle to think up and remember good paswords, consider using a password manager to help you get it right.
• Learn how to store passwords safely. Passwords aren’t supposed to be stolen, of course, but in case they are, you should ensure that the stolen authentication data is hard for the crooks to crack and use. If you run a web service, dont be a weak link in the security chain.

Update. At 2016-09-07T10:00Z, Rambler emailed to us to say, “We know about that database. It was leaked [in] March 2014 and contained millions of accounts. Right after the accident we forced our users to change their passwords. Nowadays, [a] situation like that is impossible. We do not store passwords in plain text, all data is encrypted (passwords ARE hashed), we have added [a] mobile phone verification option and constantly remind our users about the necessity of changing passwords. We also have forbidden [choosing] previously used passwords for the same account.”