642 million Tumblr, MySpace, Fling passwords stolen

Not even a fortnight has gone by since it was revealed that 177 million LinkedIn passwords had been made public, confirming that the 2012 breach of LinkedIn’s database had stolen effectively 98% of all users passwords from that time. The 177.5 million password hashes for 164.6 million users in the LinkedIn database reportedly align perfectly with LinkedIn’s user count in the second quarter of 2012.

This latest database set is, as Ars Technica reports, being sold “on a darkweb forum by peace_of_mind, a user with 24 positive feedback ratings, two neutral ratings, and zero negative ratings”, suggesting that the user is not exaggerating the quality of the data.

That data contains more than 642 million password sets involving three separate breaches of MySpace, Tumblr and dating website Fling. The Fling breach is from 2011, and the Tumblr breach from 2013, it is unclear though when the MySpace data is from.

Troy Hunt, the operator of the Have I been pwned? breach notification service, said “It surely happened sometime after 2007 and before 2012” in regards to the MySpace breach. This breach is the largest of the three, compromising 360 million accounts. However experts are dismissing the value of the MySpace data, as “Myspace engineers truncated passwords to 10 characters and converted all letters to lower-case”.

You may think, this is all old data, does this release really matter that much? Well the answer is yes, this actually represents a pivotal moment in the history of password cracking, as Ars Technica’s Jeremi M. Gosney explains in detail. To understand why, I will give a quick primer on the history of computer hacking till now, this is a highly condensed version of the information in the Ars Technica article (and my own personal knowledge of this area which is quite extensive already) and I encourage you to read the original source as well.

Prior to 2010, password cracking mainly consisted of arcane methods involving rainbow tables, word lists from obscure sources (think Klingon_Words.txt” for example) and other slow methods. Also in those days password cracking was mainly done on the CPU, which is not optimised for this kind of task and is slow at it. Two important things changed in 2010, the first was the advent of “general-purpose GPU computing”. By using GPU’s instead of CPU’s, passwords could be cracked tens of times faster due to the parallel processing nature of GPU’s. The other major advent was the release of the RockYou database set of 32 million unique passwords and their hashes. This revolutionised password cracking, from then on everyone was using RockYou.txt instead of arcane text files, and were successfully cracking a “significant percentage of passwords”.

No single breach since has changed the landscape as much as the RockYou breach did, until now. This latest breach is like RockYou 2.0 on steroids, combined with the original RockYou data and data from other smaller breaches from the past few years, hackers now have an extremely powerful tool at their disposal to aid them in cracking even quite unique and complex passwords.

So what can you to do protect yourself? There is conflicting advice out there, but the safest method involves having a unique password per online account. The best way to ensure this is to use a password manager program that generates a new random password for each of your accounts. You should also change your password immediately you hear of a site or service being compromised. Don’t wait till they contact you to tell you of the breach.

Also use 2-factor authentication where available, through a mobile app or a physical dongle where possible. I realise that not all users will use a password manager though, and I admit I don’t myself. What I personally do is have 1 really complex impossible password I use for a couple of the most important accounts, 2 unique passwords for financial access accounts, unique email for password logins (once hackers have your email password they can reset any of your accounts with ease), and apart from that I have 3 different semi-complex passwords I use depending on what its for, and a simple throwaway password for non-important stuff that I recycle regularly.

If you don’t use a site like LinkedIn much and there isn’t much data on there, an argument can be made to use a simple throwaway password for something like that (make it a minimum of 8 digits long though), as long as you change it regularly. If it does get breached, it’s unlikely they will be able to do much with it. But if you’re an account manager for example and a site like LinkedIn is vital to what you do and contains a large amount of private data, a unique password is really the only way to go for something like that.

Good password managers are a bit outside the scope of this article, but if you search Ars Technica for password stuff you will find a lot of useful and reliable articles to go off.