13 July 2016

642 million Tumblr, MySpace, Fling passwords stolen

| Chris Mordd Richards
Join the conversation
9
hacker

Not even a fortnight has gone by since it was revealed that 177 million LinkedIn passwords had been made public, confirming that the 2012 breach of LinkedIn’s database had stolen effectively 98% of all users passwords from that time. The 177.5 million password hashes for 164.6 million users in the LinkedIn database reportedly align perfectly with LinkedIn’s user count in the second quarter of 2012.

This latest database set is, as Ars Technica reports, being sold “on a darkweb forum by peace_of_mind, a user with 24 positive feedback ratings, two neutral ratings, and zero negative ratings”, suggesting that the user is not exaggerating the quality of the data.

That data contains more than 642 million password sets involving three separate breaches of MySpace, Tumblr and dating website Fling. The Fling breach is from 2011, and the Tumblr breach from 2013, it is unclear though when the MySpace data is from.

Troy Hunt, the operator of the Have I been pwned? breach notification service, said “It surely happened sometime after 2007 and before 2012” in regards to the MySpace breach. This breach is the largest of the three, compromising 360 million accounts. However experts are dismissing the value of the MySpace data, as “Myspace engineers truncated passwords to 10 characters and converted all letters to lower-case”.

You may think, this is all old data, does this release really matter that much? Well the answer is yes, this actually represents a pivotal moment in the history of password cracking, as Ars Technica’s Jeremi M. Gosney explains in detail. To understand why, I will give a quick primer on the history of computer hacking till now, this is a highly condensed version of the information in the Ars Technica article (and my own personal knowledge of this area which is quite extensive already) and I encourage you to read the original source as well.

Prior to 2010, password cracking mainly consisted of arcane methods involving rainbow tables, word lists from obscure sources (think Klingon_Words.txt” for example) and other slow methods. Also in those days password cracking was mainly done on the CPU, which is not optimised for this kind of task and is slow at it. Two important things changed in 2010, the first was the advent of “general-purpose GPU computing”. By using GPU’s instead of CPU’s, passwords could be cracked tens of times faster due to the parallel processing nature of GPU’s. The other major advent was the release of the RockYou database set of 32 million unique passwords and their hashes. This revolutionised password cracking, from then on everyone was using RockYou.txt instead of arcane text files, and were successfully cracking a “significant percentage of passwords”.

No single breach since has changed the landscape as much as the RockYou breach did, until now. This latest breach is like RockYou 2.0 on steroids, combined with the original RockYou data and data from other smaller breaches from the past few years, hackers now have an extremely powerful tool at their disposal to aid them in cracking even quite unique and complex passwords.

So what can you to do protect yourself? There is conflicting advice out there, but the safest method involves having a unique password per online account. The best way to ensure this is to use a password manager program that generates a new random password for each of your accounts. You should also change your password immediately you hear of a site or service being compromised. Don’t wait till they contact you to tell you of the breach.

Also use 2-factor authentication where available, through a mobile app or a physical dongle where possible. I realise that not all users will use a password manager though, and I admit I don’t myself. What I personally do is have 1 really complex impossible password I use for a couple of the most important accounts, 2 unique passwords for financial access accounts, unique email for password logins (once hackers have your email password they can reset any of your accounts with ease), and apart from that I have 3 different semi-complex passwords I use depending on what its for, and a simple throwaway password for non-important stuff that I recycle regularly.

If you don’t use a site like LinkedIn much and there isn’t much data on there, an argument can be made to use a simple throwaway password for something like that (make it a minimum of 8 digits long though), as long as you change it regularly. If it does get breached, it’s unlikely they will be able to do much with it. But if you’re an account manager for example and a site like LinkedIn is vital to what you do and contains a large amount of private data, a unique password is really the only way to go for something like that.

Good password managers are a bit outside the scope of this article, but if you search Ars Technica for password stuff you will find a lot of useful and reliable articles to go off.

Join the conversation

9
All Comments
  • All Comments
  • Website Comments
LatestOldest

Wired just published an excellent piece on password hashing and how it works as a result of the password leaks, if you want to learn more about what password hashing is and how it does or doesn’t help secure your password if its breached, check out this link: https://www.wired.com/2016/06/hacker-lexicon-password-hashing/

gbates said :

As an example of the damage done, there is growing reports of users of TeamViewer – a remote access application – having their pc’s illegally accessed as a result of compromised credentials that were leaked being used, according to an official investigation by TeamViewer. More here: https://arstechnica.com/security/2016/06/teamviewer-users-are-being-hacked-in-bulk-and-we-still-dont-know-how/

The fallout continues: http://arstechnica.com/security/2016/06/teamviewer-says-theres-no-evidence-of-2fa-bypass-in-mass-account-hack/

Woops, just noticed “unique email for password logins” – that was meant to be “unique password for email logins” haha!

As an example of the damage done, there is growing reports of users of TeamViewer – a remote access application – having their pc’s illegally accessed as a result of compromised credentials that were leaked being used, according to an official investigation by TeamViewer. More here: https://arstechnica.com/security/2016/06/teamviewer-users-are-being-hacked-in-bulk-and-we-still-dont-know-how/

bitterness said :

Charlotte Harper said :

Well I used the Have I been pwned? thing, and it came back clear.

Until all the email addresses it is collecting gets pwned…

From their FAQ:

[blockquote]Is anything logged when people search for an account?
Nothing is explicitly logged by the website. The only logging of any kind is via Google Analytics and NewRelic performance monitoring and any diagnostic data implicitly collected if an exception occurs in the system.

How do I know the site isn’t just harvesting searched email addresses?
You don’t, but it’s not. The site is simply intended to be a free service for people to assess risk in relation to their account being caught up in a breach. As with any website, if you’re concerned about the intent or security, don’t use it.[/blockquote]

It’s also hosted on Microsoft Azure cloud platform, which without going into details I can tell you is one of the most secure ways he could have set it up given the dataset size and the need for millions of ppl to be able to access it at once through the site. Trust me hacking into this database is something that very few blackhats would be able to accomplish, and the ones who could have no need for silly things like password/username sets, if they’re that good they stopped using rudimentary methods like that a long time ago, trust me.

bitterness said :

Charlotte Harper said :

Well I used the Have I been pwned? thing, and it came back clear.

Until all the email addresses it is collecting gets pwned…

Heheh. Very good.

Somebody asked me the other day why their Huawei home router was n’t working anymore.
I said soemthig to the effect of, “The chinese government has probably shut it down after deciding they’ve collected all the personal information off you that they want”.

People would be amazed at what the “things” that are the
“internet of things” are actually doing….

That smartypants security system that lets you see what’s going on in your living room when you are at work? Yeah – you’re not the only person who now knows what’s going on inside your house at all times…

bitterness said :

Charlotte Harper said :

Well I used the Have I been pwned? thing, and it came back clear.

Until all the email addresses it is collecting gets pwned…

bitterness said :

Charlotte Harper said :

Well I used the Have I been pwned? thing, and it came back clear.

Until all the email addresses it is collecting gets pwned…

Oh… yeah . Good point. Anyway be slim pickin’s if someone does wander in. Nuthin much in it. Firstly they will need Windows WP, which even windows now disown.
Have been pricing some laptops so hope to be using 10 shortly.

Charlotte Harper said :

Well I used the Have I been pwned? thing, and it came back clear.

Until all the email addresses it is collecting gets pwned…

Well I used the Have I been pwned? thing, and it came back clear. Thanks for posting it.

Daily Digest

Want the best Canberra news delivered daily? Every day we package the most popular Riotact stories and send them straight to your inbox. Sign-up now for trusted local news that will never be behind a paywall.

By submitting your email address you are agreeing to Region Group's terms and conditions and privacy policy.