Lessons in Password Mis-management

All Your Data Are Belong To Us

An anonymous Russian hacker was discovered advertizing 1.17 billion email account records (email addresses and passwords) for sale or trade on the dark side of the internet.  Security researchers who go ahold of it were able to narrow that database down to ~ 272 million unique email accounts.  These email accounts were held at a number of major players in the online email game, including Gmail, Microsoft, Yahoo.  The biggest single email provider (Russia’s Mail.ru) had approximately 57 million records included in the database.  All-in-all, that number is a ridiculously huge amount of raw user accounts that could be exposed.

How Did This Happen?

It is becoming clear that these accounts were not obtained by attacking the mail companies at all.  Instead, it looks like this person simply compiled the results from numerous other databases available from previous breaches of forums and social media sites.  The hacker smashed together databases he obtained and reformatted to tie email addresses and passwords.  Using that information and the following logic, the database being reported was created.

  • Hacker knows most people use same password all over the place, so if forum gets hacked, and user signed up using email account user@email.com, then he’s safe to guess that the password to the email account is the same as the password from the hacked forum.
  • Hacker collected lots and lots of usernames / passwords based on previous databases of stuff from all kinds of websites.
  • Hacker builds “database” of all these user’s email address and passwords, as a potential (unverified) database of accounts.
  • Offers it out for free(ish) to whoever’s cutest at the moment.

In plain terms, this was data compilation.  It also looks like no attempt to verify the validity of the accounts was done, as Mail.ru’s analysis of the accounts exposed showed that more than 99.9% of the accounts in their side of the breach are invalid.  This means the 57 million accounts included may actually only result in ~ 10,000 accounts that were exposed.  Similar numbers are being reported by the other major carriers.  These carriers have already started reseting / locking out the affected users accounts to ensure that the leaked data is not usable.  So yes, this could be one of the biggest databases of user accounts and passwords, but Mail.ru could also be right that only a very very small percentage of the data is actually usable.

Not a Big Deal, Right?

The concerning thing is, this attacker was right.  Most users would use the same password because it’s a pain to remember a whole bunch.  For anyone that was doing that, this database might have the right passwords.  The accounts that are valid could have easily been protected by following any of the following password online practices, most of which, unfortunately, people don’t often do.

  1. Using different passwords for their email and any other websites.
  2. Changed the password on their email account regularly.
  3. Using a separate email account for online registrations versus important (banking or related) email communications

Since email today is pretty much ubiquitous for almost everything that we do, it’s becoming a higher and higher value target to hackers.  For example, if you forget your password to your bank, one of the ways that the bank often allows you to reset it is to email you a one-time code in order to access your account.  If an attacker has your email address, they could potentially reset your bank account password, and have all kinds of fun with your money (most of it in the “spend, spend, spend!” direction).  As such, protecting our email accounts has become much more important to protect.


Protection, Now Attached to Your Hip

In order to continue to protect the products that they provide, major email companies have all over the last couple years instituted measures that drastically increase other people’s ability to use your account in an unauthorized manner.  They do this using something called “Two Factor Authentication”.  This is a method of mixing “something that you know” with “something that you have”.  The “something you know” is generally a PIN or Password.  The “something you have” is often a cell phone or application on a computer that’s already been setup.  While the brand names and methods aren’t exactly the same, the basic idea is as follows:

  1. Identify yourself with a username.
  2. Provide password (something that you know).
  3. A one-time alert is triggered on your phone or your phone provides you with a one-time, continuously changing code.
  4. Code is input to website or alert is confirmed on phone to ensure that you are you.
  5. Access is granted to site.

To find out more about these enhanced levels of authentication that are available from some of the major players, see the links below.

These protections make the leaked database of accounts useless for accessing your account with the provider.   Some support an app, txt, or phone call second step after the password, and others simply need you to hit CONFIRM on your phone, but all of them are only as secure as the place you receive the confirmation.  Make sure that you have your phone password / fingerprint / PIN locked or else anyone who can access the phone could still log in as you.