Insights For Success

Strategy, Innovation, Leadership and Security

Downloaded over a billion email addresses and passwords this weekend

Edward KiledjianComment

I am a CISO (Chief Information Security Officer) for a major tech company and manage people, budgets and strategy. But the security researcher in me never went away. Over the weekend our intelligence service downloaded 3 separate dumps totalling over 1B leaked credentials (the largest of which was the 400M+ credentials.)  The smallest one was a Pastebin dump that contained 6,500 email addresses with cleartext passwords (I was able to verify 3 email/passwords listed in the list by contacting people I recognized on the list).

We use these list to check for employees that may be impacted by these breaches (or close-knit partners. 

How most people should check

John / Jane Doe won't look for or find these dumps. So what should they do?

Most people should just to go Troy Hunt's Have I been Pwned and use the free lookup service.

You visit the site and enter your email address (one by one if you have multiple)

And hopefully you get this happy green message that tells you everything is ok (at least the site thinks its ok).

Or you can get the dreaded "red box"

Millions of sites have been compromised

Funny enough I wrote on article on May 3 called 2017 has started as a busy year for hackers and talked about the major compromises we have seen in 2017 (before the major dumps I picked up this weekend). At the end of that article, I had a section called What can you do. I suggest you go read it but the summary sentence is " you are responsible for your data protection".

  •  you are responsible for your data protection
  •  you are responsible for your data protection
  •  you are responsible for your data protection
  •  you are responsible for your data protection

We are complacent and neglectful. We create accounts everywhere using the same easy to guess password. Then someone hacks a site with poor security practices and suddenly your entire digital life is there on display for the hackers.

LinkedIn lost the account information for 167 million users. To protect passwords properly, sites need to salt then hash them. It seems that LinkedIn had not been salting passwords (when the hack was undertaken) and the passwords were only hashed. What does this mean to you? Hackers were able to easily reverse engineer the hash and convert the passwords to plaintext.

It is important that you create a long unique and random password for each site or service you use.

The moral of the story is that your information will eventually get hacked. Make it difficult for hackers by using long complex unique passwords that for each service you use. That way cracking the security on one site doesn't expose your entire life.

Anytime hackers gain access to un-encrypted passwords or are able to reverse engineer the badly protected ones, they feed these into automated systems that test these accounts against the top 20 major global website (Gmail, Hotmail, Outlook, Facebook, Twitter, etc) and try to determine which ones are good, fresh and valid.

Unfortunately people often reuse the same password or use a derivative of the same password and this allows hackers to wreck peoples lives.

If a hacker logs into a service with a valid account, the service will most likely not know it is a fraudulent transaction. Don't rely on companies to protect you.

Anytime we find a data dump, we look for information pertaining to our company and also analyze the content looking for source and hacker.

Looking at stupid passwords in a 6500 account Pastebin dump

People still use stupid easy to guess dictionary based passwords. Why oh why?  Several dozen  people in the above list use Pa55word as their password.

Some people used variations of "123456" such as a123456b.

Other "gems" used as passwords in this dump include: letmein, monkey, trust, trustme, etc. And simple variations of these like adding numbers at the end (letmein01, monkey123, etc).

Don’t use common words in your passwords. You complex random passwords.

Most password managers can generate complicated random passwords or checkout my article entitled 5 best Random Password Generators

Conclusion

As security researchers and a corporate security team, we are careful about how we handle the data. We make sure we securely delete the details once we have scraped it for our own corporate information (so we can proactively reach out to those users and offer advice and guidance).  

Hackers are so considerate. Someone will try to hack you, the question is how easy will you make their job?