"CoffeeMeetsBagel is a dating website."
Really? So how does that work?
"Wanted: steamy, black and sweet to give this toasted lemon poppy seed a schmear"
Nope, don't even want to see that data!
Some 617 million online account details stolen from 16 hacked websites are on sale from today on the dark web, according to the data trove's seller. For less than $20,000 in Bitcoin, it is claimed, the following pilfered account databases can be purchased from the Dream Market cyber-souk, located in the Tor network: Dubsmash …
It's good to know about the hack, but it does add some value to the hacker to have a reputable news outlet do the hard work of contacting firms and getting them to confirm that, yes indeed, that is their data.
Before, it was just a large, but untested dump, which may or may not have contained useful (to ner do wells) information. Now it's conformed, by at least some of the firms impacted, that the data and hashed passwords are legit.
Clueless is bad enough but that can be fixed. Refusing to disclose is much worse as that is willful decision by management not to talk. However the reason why a site is clueless could be very problematic as it points to mismanagement or willful ignorance of best practices. But it someone gets the religion the clueless can straighten up surprisingly fast. A decision not to disclose indicates a company that refuses to take responsibility for customer data; something the GPDR is aimed squarely at. Any rate it could be interesting for a some of them.
Those sites who knew about their databases being breached but did not inform the end user should, first, be closed down and, second, have the bosses spending time in the chokey, because their failure to disclose, purely to protect their own reputation and income, not only puts *ahem* at risk but also encourages the miscreants to dig deeper into other sites. Be open about such things, or begone.
No you are not. You made the choice to become a person inflicting misery on others, you could have very well chosen to do otherwise. You are, however, the perfect target for a number of tools, such as a golf club, a tire iron, maybe even a sledgehammer.
intarweb miscreants... the cops won't believe they're guilty of anything unless they LOOK like criminals.
You know, how criminals have broken bones, missing teeth, large bruises, scrapes all over them as if they'd been thrown down a couple o' flights of stairs, or got dragged at 30+MPH over a gravel road...
"Yep, THAT GUY looks like a criminal!"
also reminds me of the way a thief on a ship might get treated, accidentally falls overboard and the guy wut dun it quietly whispers "man overboard..." then about 30 minutes later, "MAN OVERBOARD!"
Or another Navy guy I knew, back in the day, who liked to sing a parody of a 60's song, with words like this: "If I had a hammer, I'd smash your @#$%^'ing head in!"
"You are, however, the perfect target for a number of tools, such as a golf club, a tire iron, maybe even a sledgehammer."
That was my instinct-absolutely not, of course, out of any sense of malice or drive to do violence; I simply think he needs his awareness raised as to the nature of golf club injuries. It would be an act of benevolence toward him, really.
I can't see *any* mention of PBKDF2 in the password hashing. Is that because nobody used it, or because the journalist didn't realize the importance?
(For those that don't know, PBKDF2 is an algorithm to iterate a hash function many times. A database where the password has been hashed with MD5 100,000 times is at least 10,000 times better protected than a database where the password has been hashed with SHA512 once.)
PBKDF2 was only recommended in 2017, which was when the first of the dumps came from, so I'd be surprised if any of them are using it. I'd expect it to start showing up in dumps in a couple of years, if not longer. Companies rarely move fast (and nobody is going to force all their existing customers to change their passwords, especially if it means admitting that the old ones might not have been secure).
Also, the sort of company that would use a bleeding edge crypto method, like PBKDF2, might be paying a bit more attention to their basic security, and would be less likely to end up in a dump like this.
Not sure which is more depressing ... the list of websites pwned, or the numbers of morons that sign up to them ? I bet the strike rate for reused credentials is sky-high in that pile.
That said, while I struggle to believe that the six million accounts supposedly contained in the "CoffeeMeetsBagel" dataset relates to six million people, I could easily believe the owners of said website stuffed their user table with six million records in the hope of finding someone to buy them up; which seems to be SOP for some sites ....
Normally, although not always, if ones email address becomes publicly available it will be spammed.
Now if one uses a different email address for any accounts one wishes to remain secure for example firstname.lastname@example.org for paypal or email@example.com for amazon etc. if any spam hits those email addresses, it is a good indicator of that email address being in the public domain.
Watching the spam emails at the mail server I find that less that 1% of the incoming spam is using valid addresses - the vast majority of incoming mail has completely fake addresses - email addresses that have never existed. I suspect that's going to be the case here too, the vast majority of these "account details" are probably fakes generated, and inserted into the database, to make it look big and saleable.
When I do haveIbeenpwnd on my work domains and personal domains, they are the same situation.
Either nonsense, made-up-hex-looking usernames, or off-by-ones in the database (e.g. firstname.lastname@example.org, email@example.com) etc. where someone can't write a spam database program properly and it jumbles up things. I also get valid-looking but never-been-present usernames on my domain (e.g. firstname.lastname@example.org where genuinelookingname was probably associated with domains *similar* to mine, but not actually mine), etc.
There's a lot of junk. A lot of those accounts may have been valid at some point but not any longer. Most people barely keep an email account more than a handful of years, in my experience. Mine is over 22 years old, though, and still going - because I bought the domains and just forward to Hotmail/Gmail/SquirrelMail/my own server/whatever was trendy at the time to actually *read* the email.
In that time, you'd expect my domain to be spammed to oblivion with all those old accounts. A couple of companies have been compromised in the past, so those email address crop up quite a lot (because spammers just copy other spammer's old databases). Things like addresses I used on Usenet and mailing lists are spammed all the time. Anything used in plain-text on a website (e.g. contact addresses, etc.). But most of the spam is literal made-up or false junk @mydomain.
I'd estimate there are 100 addresses on my domain that are actually valid. Of those about 3-4 are compromised or spammed. About 10 or so I've blackholed for either being spammed or other reasons. But my server sees attempts to deliver to several thousand emails every day that have never actually existed at my domain.
The best bit of such a system - compromise the database, grab the email and password from some ancient account from a defunct company... now try to apply that anywhere else on the net apart from that company's services. Even if I've re-used that password elsewhere (e.g. forum accounts that I just don't care about and hold no information on me), you can't even start to guess the email I actually used to sign up with for, say, Paypal or Amazon or whatever so you couldn't re-use that password anyway.
617m account details would, if I applied statistics, probably relate to less than a million real accounts that are active. Some of those would probably be shared. Most of them would be bog-useless to do anything other than send a spam email (e.g. if you got into my Reg account... what exactly could you do with it? Post a dodgy comment?).
"you can't even start to guess the email I actually used to sign up with for, say, Paypal"
Not the best example. PayPal actually give this address out to "merchants" when you make a payment. I put merchants in quotes because I got spammed on my PayPal address by archive.org* orecently because I'd responded to their previous donation appeal. It cost them a donation this appeal of course....
* who aren't even a merchant and would have no reason to need an email address under any of PayPal's feeble excuses.
Surprised quite how many of them are using salted hashes (even if some of them are out of date).
I was honestly expecting a lot worse.
This is why you use a unique username/email and password for each site, and why you DON'T plug them into a password manager.
Buy yourself a domain. Use the "catch-all" functionality to make up any email address you like for each company, and either generate random passwords or only re-use passwords with same-level-of-access sites (e.g. if one dating sites has all your stuff, then another dating site sharing the same password gets them no more information than they've already got, but saves you having to remember/write down a million different passwords. Use a password for banking, one for accounts with credit cards, one with personal information, one for forum accounts, etc. and you only need a handful of passwords. Plus, if you use unique username/email combos then it doesn't really matter if your password gets stolen from one site - the same credential won't work on another because the username will be all wrong anyway).
"why you DON'T plug them into a password manager."
Why? Maybe you don't plug them into and online password manager but I rather think my encrypted KeyPass manager on my laptop is a bit more secure than a text file or the browser's password caching on the same. Apart from anything else its random passwords look a lot more like line noise than any erqogdp]oe0 keyboard mashing will generate.
One single access to your laptop at the level of your user (i.e. a single browser compromise) and your entire database of unique passwords is available to someone for offline hash-cracking with JohnTheRipper. No different to the browser "saved password" functionality itself. that is encrypted in a similar way.
It would take you longer to change all those passwords (because they are now all compromised) than it would do for someone to find the weak ones.
Not only that, by just having such a tool installed, you're basically flashing your iPhone around in the middle of The Bronx which has only one inevitable conclusion:
Tell me - do you do your browsing as a user with access to KeePass?
Much safer to memorise half a dozen decent passwords and then you can literally write "HSBC - level 1 password", "The Register forum - level 5 password" in a document somewhere, or even advertise it to the world.
KeePass is just writing your passwords down and then putting big arrows pointing the way to your password all over your computer. It's no more secure than a notepad file. Plus, you better hope that KeePass never, say, gets a rogue git commit added that compromises it - as has happened to everything from the Linux kernel to Firefox to OpenSSL to entire code repos, etc. in the past. I know which project I'd be trying to infiltrate if I wanted to spend years to get a single code drop inside it, with an accidental "off by one" that gives the person who crafted that complete access to all wallets.
At best, something like KeePass is snake-oil. At worst, it's a tin-foil hat / emperor's new clothes.
@Lee D: The article that you link to about KeePass (and the KeeFarce exfiltration tool) dates from 2015. Although an interesting potential concern, is it still relevant (has KeePass been updated to protect against this), and, also, are KeePassXC (or KeePassX) vulnerable to this weakness?
"Dubsmash (162 million), MyFitnessPal (151 million), MyHeritage (92 million), ShareThis (41 million), HauteLook (28 million), Animoto (25 million), EyeEm (22 million), 8fit (20 million), Whitepages (18 million), Fotolog (16 million), 500px (15 million), Armor Games (11 million), BookMate (8 million), CoffeeMeetsBagel (6 million), Artsy (1 million), and DataCamp (700,000)."
This is like a 21st century wall of shame. I _know_ that cyber security is tough, but come on. I would guess that most of these breaches used known exploits against servers that were either not up-to-date or lacked some basic hardening. These breaches are incredibly disrespectful to clients.
....is reasonable and understandable.
But there are similar efforts going on in Cheltenham (and elsewhere):
- in secrecy
- paid for by the taxpayer
......and absolutely no outrage about the secrecy and the complete lack of transparency.
This article is about "bad guys".......but there ARE NO GOOD GUYS!
Just a little evil. Not sharks with frikken laser beams on their heads evil. Ill-tempered sea bass evil. Got it.
"I need the money."
Then clean yourself up and get a job in the industry. If you're even halfway decent it'll pay way more than this penny ante nonsense. Plus you'll get to avoid that whole messy risk-of-incarceration issue.
"Then clean yourself up and get a job in the industry. If you're even halfway decent it'll pay way more than this penny ante nonsense."
Sadly difficult to achieve when you refuse to leave your parents basement. Otherwise, I have to agree with you.
That a bunch of email addresses will get extortion letters that say we have your web cam feed, and we know what you were doing while watching a video. It seems that this is a much more lucrative than trying to get bank credentials or the like. While you send out email to 1000's of addresses, and get a couple to bite and send you back $$$ (in bitcoin form), there seem to be suckers born every minute.
Of course, maybe this seller bought said records and did his thing, and sold off the used addresses after he found it might be too much work to make money from them. Oh, well.
Biting the hand that feeds IT © 1998–2019