Hacker Steals 45 Million Accounts From Hundreds of Car, Tech, Sports Forums (zdnet.com) 47
An anonymous reader quotes a report from ZDNet: A hacker has stolen tens of millions of accounts from over a thousand popular forums, which host popular car, tech, and sports communities. The stolen database contains close to 45 million records from 1,100 websites and forums hosted by VerticalScope, a Toronto-based media company with dozens of major properties, including forums and sites run by AutoGuide.com, PetGuide.com, and TopHosts.com. "We are aware of the possible issue and our internal security team has been investigating and will be collecting information to provide to the appropriate law enforcement agencies," said Jerry Orban, vice-president of corporate development, in an email. In a sample given to ZDNet, the database shows email addresses, passwords that were hashed and salted passwords with MD5 (an algorithm that nowadays is easy to crack), as well as a user's IP address (which in some cases can determine location), and the site that the record was taken from. LeakedSource, which confirmed the findings, said in its blog post that it was "likely that VerticalScope stored all of their data on interconnected or even the same servers as there is no other way to explain a theft on such a large scale." A LeakedSource group member said it was "not related" to the recent hacks against MySpace, LinkedIn, and Tumblr. The report goes on to say: "A cursory search of the list of domains caught up in the hack revealed that none of the sites [ZDNet] checked offered basic HTTPS website encryption, which would prevent usernames and passwords from being intercepted."
Salts (Score:3)
Now, if you are designing password storage in 2016, there is no excuse not to use proper key stretching function, like scrypt.
Re: (Score:2)
Salts matter. Salted MD5 1 year for 10 character (Score:3)
Yeah the summary seems a bit confused. It says "salted passwords with MD5 (an algorithm that nowadays is easy to crack)". If they are properly salted, they aren't easy to to crack. Depending on the hardware, the salted MD5 hash of a 10-character password should take roughly a year to crack.
UNsalted, many passwords will crack almost instantly by use of MD5 rainbow tables, and an attacker can attack all of them in parallel. The 8-character salt used by default with MD5 and crypt() means each entry has to
Re: (Score:2)
If they are properly salted, they aren't easy to to crack.
Compared to what?
Depending on the hardware, the salted MD5 hash of a 10-character password should take roughly a year to crack.
So with 45 million accounts it should take a million years to get the first million passwords... is this what I am supposed to believe?
How is enforcing complex passwords sufficient to stave off today and tomorrows computers going? Is it working? Do humans accept passwords with sufficient entropy to survive brute force attack by dedicated cracking hardware and botnets with hundreds of thousands to millions of nodes?
UNsalted, many passwords will crack almost instantly by use of MD5 rainbow tables, and an attacker can attack all of them in parallel. The 8-character salt used by default with MD5 and crypt() means each entry has to be attacked individually, one at a time.
So what if the cracking isn't free? People were having quite a lot of succ
Works quite well. $1$bCF1UNu$pRbc6HKD.d8fyv7ABC1ML (Score:2)
Yes, modern hashes, salted, work extremely well. This is based on my experience writing software which has handled hundreds of millions of login attempts over the last fifteen years. Here's an MD5 slated hash of own of my passwords which the bas guys which very much like to crack.
$1$bCF1UNu$pRbc6HKD.d8fyv7ABC1ML
Have fun trying.
Re: (Score:2)
Yes, modern hashes, salted, work extremely well.
Current state of the art if you have been following dogma is to include key stretching based on algorithms such as scrypt intentionally designed to be costly to run on massively parallel commodity hardware. You don't even bother with this which puts you at an extreme disadvantage.
It isn't that salting or key stretching is in any way bad or not worth doing. It is the checking of the box and then falling asleep thinking you solved something when in fact you have done no such thing that is the issue at hand.
Re: (Score:3)
Giving websites a secret they have to protect, especially second-tier player like this, just seems like a losing strategy in the long haul. I'm hoping something like SQRL eventually gets some traction, which uses public key crypto + site name to create an authentication method that doesn't rely on the website to keep a secret and is only viable for that single site. How many times must we demonstrate that sites can't be trusted with usernames and passwords? Nor can users be trusted to create decent passw
Re: (Score:2)
I think the movement now is heading towards yubikeys and U2F. The only thing required to happen is to use U2F as first and only factor.
Re: (Score:2)
Giving websites a secret they have to protect, especially second-tier player like this, just seems like a losing strategy in the long haul.
^THIS.
I agree 100%- keeping secrets on a website is a game that's nearly impossible to win but easy to lose. All it takes is one misstep and *boom*, you're toast.
You can run a very, very secure site, follow best practices, be diligent about patching, etc etc etc....and some poorly-written plugin or obscure vulnerability in some minor bit of software that you didn't even know existed can end up compromising the entire thing.
Re: (Score:2)
This is why it is so critical we maintain textual information about what life was like before Republicans.
Not that I'm' a Republican (or a Democrat)... But the Republican party was founded in 1854 (by anti-slavery Whigs) with the primary goal of abolishing slavery. So prior to the Republicans, the US had slavery. Abraham Lincoln was the first Republican president.
In 1878 A.A. Sargent, a Republican, introduced the 19th amendment, it was voted down by the Democrat controlled congress. It wasn't until 1919 that the Republicans controlled both the house and senate that they passed it, still under the opposition of
Re: (Score:1)
For all my friends who bitch at me about the fact that I don't give accurate personal information when creating forum accounts (on the very rare occasions I bother to do so), now you know why. Go ahead, tell me again how I am paranoid and how unfair it is to the forum operators.
You're not paranoid, you're an evil oppressor. Don't you know? Information Wants to Be Free! [slideshare.net] Information has been held back by the (hu)man for far too long. You're to information like the RIAA to music, the MPAA to movies, English to the Irish, men to women, the white man to the native americans, vegans to vegetables, penicillin to bacteria. Nay, you're worse. information is helpless and cannot even fight back in the least. You should hang your head in shame. ;-)
Re: (Score:2)
"... no other way to explain a theft .." (Score:2)
Re: (Score:2)
All of them. I haven't got the email warnings yet, but both of the forums that I subscribe to there have a new boilerplate message about upcoming password changes... without mentioning why. Unsubscribing to the forums is damn near impossible; something that I just learned. The only way that your account can be closed is if you prove too damn obnoxious. But the sites are run from Canada. Being obnoxious can be difficult there. BTW, my corresponding email _was_ hacked within the last week. Barn door left open since February; too late. So I'll have to close that account.
Now before all of the smarmy IT "Professionals" start going on about Password "Security"; note that no Password Ninja broke into my house and stole the keyboard sticky. IT "Professionals" need to understand that these breaches are _their_ fault. _They_ can't secure their systems. They can't even be bothered to warn us in a timely manner about their screwups. So Screw them.
You are correct. It is becoming more clear that having similar or reusing passwords is really stupid bad.
Also, writing passwords down (because now instead of four, there are 45) will have to be the new norm.
Back when people had ONE business password and it let them get in payroll it was bad to have them written down, because it was right where it would do some damage. Now that the average person has Google, email, a forum or two, Facebook or other social media, online banking, store credit card account, A
Password re-use (Score:2)
The big concern is that people may have used the same user name / password combination on other systems.
Re: (Score:2)
I care because..... (Score:2)
Now, sites that I use a credit card for, or that hold money/stocks, those are a different story. Different user names, different passwords, all kep
Re: (Score:2)
I'm just as leery of password "vaults" as I am of easy passwords. I prefer to use the oft-cited xkcd method, which allows me to carry pretty decent passwords in my head.
Other than that, I do pretty much the same as you for websites I don't care about. I'd prefer not to be hacked, but if it happens, it won't be the end of my world.
Re: (Score:3)
I'm just as leery of password "vaults" as I am of easy passwords.
Same here...it seems like a single point of failure. Sure, you can use a long, ugly password for the password vault, but that won't matter if you get zapped by a key logger or malware that sniffs for credentials. And if I was a malware write you could bet your ass that I'd be on the lookout specifically for password keeper apps so I could target them directly.
Password keepers seem like a good idea at first, but the consequences of having one compromised would be catastrophic. They don't just one of your log
Re: (Score:2)
Ooh, time to find your password so I can post bad stuff in all of your careless accounts! ;)
Re: (Score:1)
For sites like Slashdot, fark, ars, etc al I not only use the same login, I use the same password. Why would I care?
I don't care about the stolen accounts, but for a different reason. I don't care because I use LastPass to generate (and store, and automatically fill in) random, unique passwords for every web login. If they hack into my VW or Ford accounts, who cares? They would only get access to that single account.
Ugly. any free lookup tool? (Score:3)
I looked up my email address on that leakedsource.com and they found 2 hits in one hack and 1 hit in a few other hacks. Of course they only tell you what website got hacked. Any info other than that till you subscribe ($4 a day).
Sucks. i searched for a few strings before i got a hit so I feel that it may be legitimate. I am seriously considering paying the money. utorrent, anandtech, and this verticlescope thing. Some had plain text passwords! and sometimes i have in the past reused passwords... nasty!
looked up some friends emails and work colleagues and found hits for almost all of them.
Looked up my work domain and found hundreds of hits. Going to probably do it just to warn my co workers now.
Re: (Score:3)
The only problem with this is, if you give leakedsource your email address to check, that means that they now have your verified email address to keep. Forever.
No, there's no verification required that I saw or was asked for. All it means is that they have an email address, not necessarily even a real one.
For example, I started making up email addresses...and after inputting "sexygurl@yahoo.com", leakedsource came back with this:
MySpace.com has: 200 result(s) found. This data was hacked on approximately 2013-06-11 00:00:00
But I'm not the owner of that email and didn't even know if it was a real email address or not.
Re: (Score:3)
I checked, and it seems like VBulletin has been a major source of leaks of my email address:
VerticalScope Network (Vbulletin) (939 Websites) has: 1 result(s) found. This data was hacked on approximately 2016-02-01 00:00:00
AVSForum.com has: 1 result(s) found. This data was hacked on approximately 2016-01-23 00:00:00
Vbulletin.com has: 1 result(s) found. This data was hacked on approximately 2015-10-27 00:00:00
W3schools.invisionzone.com has: 1 result(s) found. This data was hacked on approximately 2015-01-11 0
Blind leading the blind (Score:2)
First MD5 is NOT broke for this purpose and offers no meaningful disadvantage to other hash algorithms.
Salts and key stretching only make it n-times more expensive to brute force plaintext. While this sounds good even if n is measured in the millions and really does require attackers to expend more resources to accomplish the same result these expenditures amount to an unresolvable spec of dust compared to having a secret with sufficient entropy... a luxury that does not exist in the real world.
There are t