Yahoo!, Dropbox and Hacked: Stopping the Chain Reaction

February 14th, 2013 by Vladimir Katalov
Category: «General», «Passwords & Human Factor», «Security», «Tips & Tricks»

Major security breaches occur in quick succession one after another. Is it a chain reaction? How do we stop it?

  • January 2012: Zappos hacked, 24 million accounts accessed
  • June 2012: 6.5 Million encrypted LinkedIn passwords leaked online
  • July 2012: 420,000 Formspring passwords compromised in security breach
  • July 2012: Yahoo! Mail hacked
  • August 2012: Dropbox hacked, user accounts database leaked.
  • August 2012: Blizzard hacked, user accounts leaked.
  • September 2012: Private BitTorrent tracker hacked, passwords leaked by Afghani hackers
  • September 2012: Over 30,000 usernames and passwords leaked from private torrent tracker RevolutionTT
  • September 2012: IEEE admits password leak, says problem fixed
  • November 2012: Adobe Connect Security Breach Exposes Personal Data of 150K Users
  • November 2012: Security breach hits , 628 user id and password leaked
  • November 2012: Anonymous claims they hacked PayPal’s servers, leaks thousands of passwords online
  • December 2012: 100 million usernames and passwords compromised in a massive hack of multiple popular Chinese Web sites
  • January 2013: Yahoo! Mail hacked (again).
  • February 2013: Twitter breach leaks emails, passwords of 250,000 users

 Re-Using Passwords: a Really Bad Idea

Using the same password or simple variations of the same password for securing access to different accounts has never been a good idea. However, today it’s a worse idea than ever. Major hacks and security breaches happen all the time. Occurring quickly one after another, there is little doubt the hackers are using databases of previously harvested passwords in order to try breaking into a variety of services. Would it be possible to break into so quickly if hackers had to brute-force passwords for each and every account? Blizzard does not think so.

According to Blizzard [ ], the hackers gained unauthorized access to email addresses, the answer to a personal security question, and information relating to Mobile and Dial-In Authenticators, and what the company refers to as “cryptographically scrambled versions of passwords (not actual passwords)”. All this information, in Blizzard’s opinion, is not enough to gain access to accounts.

However, in ElcomSoft’s opinion, it is much, much easier and way faster to recover the original plain-text password by attacking a large database of “cryptographically scrambled versions of passwords” on a local workstation rather than attempting to brute-force a password to a single account on a remote server.

This, however, is only part of a problem. What if an attacker uses a dictionary of known passwords (obtained from another hack of a different service, for example) to attack these “cryptographically scrambled versions of passwords”? How long will it take to break into at least one user account? In ElcomSoft’s opinion, it will only take seconds.

According to recent researches, the password reuse rate among user accounts on different services was at least 31 percent, but could be as much as 43 percent – or 49 percent if the use of similar passwords is counted. Technically, this means that hackers obtaining a user accounts database from one service could very quickly attack another service, and again, and again, creating a chain reaction. Such a reaction would be extremely difficult to stop unless the users finally start using not necessarily complex but truly unique passwords.

This is probably the reason Blizzard advises their users to change their passwords immediately.

 Reverse Brute Force Attack

A SQL injection can return hackers password hashes for off-line processing. Brute-forcing passwords online is no longer a valid idea when online accounts are concerned. Service providers will normally lock the account after several unsuccessful login attempts if wrong password is used. This is classic brute force. The new, “reverse” type brute force attack does quite the opposite: it tries multiple account logins with the same popular password (e.g. “password1”). Account names can be guessed by the dictionary, or harvested from popular forums and other open resources. Of course, providers can also stop this type of attack by blocking numerous login attempts from the same IP address, but then there are botnets running coordinated distributed attacks from thousands different computers, all with unique IP addresses. At this time, there is no protection against this type of an attack other than not using common, popular, simple to guess passwords.

 Using Unique Passwords Is Not Enough

Compromised Yahoo! Mail accounts. Why is this important? Information stolen from Yahoo! accounts is not only dangerous because it contains highly sensitive personal data, and not just because it contains account credentials that can be reused to hack user accounts on other services. By accessing actual email messages stored in users’ Yahoo! Mail accounts, hackers can retrieve registration information from other services such as confirmation emails. Needless to say, such confirmation emails almost always contain the user’s login name, and often even include a password in plain-text form. What other fuel do we need to keep the chain reaction going?

 Stopping the Chain Reaction: The To Do List

  1. Use unique passwords for different online services.
    With today’s secure remote password authentication algorithms such as Secure Remote Password Protocol, which enables strong security using weak passwords, user passwords don’t necessarily have to be extremely complex. 7-9 characters of a fairly random mix of letters and numbers is mostly good enough. However, it is essential to make sure you don’t use the same password, or variations of the same password (e.g. “hello”, “Hello”, or “Hello1”) to secure different accounts.
  2. Always change default passwords when opening a new account.
    Many online services will send your complete account credentials to an email account specified during the registration. If your email would ever become compromised, this information will leak into wrong hands. Do make a habit of changing your default passwords immediately after logging in to your newly created account for the very first time.
  3. Use a secure email service.
    Try not using online email services with marginal reputation and less than adequate protection. This may lead to your other accounts being hacked (by e.g. invoking a “password reset” operation). Sticking to Google Mail, MSN or even Yahoo! is still safer than using homegrown services with an unknown degree of protection.
  4. Use two-step authentication if available.
    Many services are introducing two-step authentication. For example, Dropbox is about to start authorizing each login operation with not only a password, but a unique code sent to the user’s mobile phone via an SMS. This type of authentication is usually much more difficult to circumvent than password alone. If your service provider offers two-step authentication, use it!
  5. Be aware if your online service provider is hacked.
    It may sound like wishful thinking, but it’s a good idea to try keeping up with the news – or at least the Leaked Passwords page. If your email provider was hacked, take measures by changing your password immediately! Reacting quickly is often more important than coming up with a long, secure password.
  6. Vary login names.
    Using the same login name across various services is just as bad an idea as reusing the same password. Leaving privacy concerns aside, reusing the login makes hackers’ lives so much easier.
  7. Don’t use personal information for security questions.
    It’s been said more than once that choosing obvious security questions (often used for resetting lost password) is never a good idea. Mother’s maiden name, names of your children or pets’ names are all too easy to guess. Hackers can and do target these types of questions – just as in the recent iCloud break-in. Choose non-obvious questions and imaginary answers that only you will know.
  8. If you don’t trust the source, don’t trust it with your personal information.
    Does a Web site attempt to collect more information from you than your common sense tells you is reasonable? Fake it: it’s not illegal to fake your personal information when opening an email account or registering in a multi-player online game. Your personal information can be misused in so many ways it’s not even funny. This does not apply to registering for electricity services or getting a local phone line, but trusting your correct date of birth and social security number to a Web forum or chat room? Just say “no”.