back to article 33 million CLEARTEXT creds for Russian IM site dumped by chap behind Last.FM mess

Instant messaging platform QIP.ru has suffered the loss of approximately 33 million user records, which have emerged as cleartext. Utah-based security firm Heroic was sent the data from a user known as Daykalif who last week leaked 98.1 million cleartext accounts for Rambler. The same hacker also leaked words 43.6 million …

  1. Neoc

    Ah yes, the idea of password managers being the solution once again is mooted as a silver-ish bullet.

    Except if you use more than one computer. Or have to use a public computer. Or in fact, any situation where the computer you use is not the only computer you shall ever use.

    1. Anonymous Coward
      Anonymous Coward

      I'm more worried that this so-called solution suggests that any old password manager will do. In the light of agencies in a certain country being evidently simply above the law (insofar that clear and pretty egregious breaches of the law have quite simply zero consequences) I would venture that you really have to consider where something is hosted and who hosts it before you trust it (if they use Gmail, you can generally assume they're actually not that hot on security).

      This is also why I don't use the OSX cloudy keychain facility. Safari now automatically suggests a random password as soon as it sees an account setup, but I keep that local. The only syncs I have of security facilities are SecureSafe (where I have a few passwords that need to survive me, so it has inheritance enabled) and OTP Pro, and the latter I do via a file, not via its iCloud mechanism (OTP Pro is like Google Authenticator, but more useful/flexible in a number of ways).

      What this leak demonstrates, however, is that occasionally changing your passwords really is a good idea because leaks can emerge FAR later.

      The real problem, however, is that passwords alone are no longer a good answer. Given how easy it is to install a simple One Time Password mechanism that is based on set of clear, open standards (RFC 6238 and RFC 4226) the only barrier is setting up the customer support process - we're not exactly short of client software. That should IMHO be standard for anything sensitive.

      1. Doctor Syntax Silver badge

        "if they use Gmail, you can generally assume they're actually not that hot on security"

        Not necessarily. A Gmail address might simply mean that they don't consider that particular site is deserving of security. Stuff that matters can be given a unique email address and password.

        1. Anonymous Coward
          Anonymous Coward

          Not necessarily. A Gmail address might simply mean that they don't consider that particular site is deserving of security. Stuff that matters can be given a unique email address and password.

          Alas, I get to audit a lot of these "next big thing" wannabes for a living and that never happens. You get these pitch decks full of Silicon Valley buzzwords (or worse, someone dreamt up a video which *always* seems to require some idiot with a banjo in the background) and if that isn't enough to put off the average investor (or me representing them) and it generally takes but 3 questions before it changes from "next big thing" to "me too with some words changed and we would really like some big fat salaries until you discover this".

    2. VinceH

      "Ah yes, the idea of password managers being the solution once again is mooted as a silver-ish bullet.

      Except if you use more than one computer. Or have to use a public computer. Or in fact, any situation where the computer you use is not the only computer you shall ever use."

      So you use one which encrypts the password database, and is portable.

      The only problem in your list then is the use of a public computer - which, personally, I'd avoid like the plague anyway if you're going to be logging in to anything you consider secure/private.

  2. Neil Barnes Silver badge

    Irrespective of the strength of passwords

    Or indeed the number of them... life would be a *lot* simpler if so many of the retail sites didn't decide we needed a password and login for *everything*.

    I'm going to buy something, right? So you need - short term - my name and postal address, and a credit card number. But once the stuff is posted to me, or you receive confirmation from your shippers, you can securely delete that stuff. If I want to buy something else, hey, I still know my address; I don't need you to remember it for me... and that way we don't end up in the ridiculous situation that I'm trying to buy something years later, can't recall the original password, and can't change log in again because 'that username already exists'.

    1. Mark 85

      Re: Irrespective of the strength of passwords

      I find the "guest" as opposed to the "member" is preferable as the sites don't seem to keep any info about me. Yeah, I have to fill that out with each purchase but it's small price to pay. Unfortunately, the Marketing types seem to think that "Member" is better.

    2. Doctor Syntax Silver badge

      Re: Irrespective of the strength of passwords

      "life would be a *lot* simpler if so many of the retail sites didn't decide we needed a password and login for *everything*."

      My solution is to set up a temporary email address every few months for these wankers and then tear it down later. Their spam just gets bounced.

      1. Anonymous Coward
        Anonymous Coward

        Re: Irrespective of the strength of passwords

        My solution is to set up a temporary email address every few months for these wankers and then tear it down later. Their spam just gets bounced.

        I add a little twist to this: the temp email address I use references the site it was submitted to. I tend to keep a temp address around for about 6 months, and it's easy to see who isn't true to their privacy requirements. If it's an outfit I want to keep I change the email address later to one I refresh less often :).

    3. This post has been deleted by its author

  3. allthecoolshortnamesweretaken

    Irrespective of the strength of passwords

    "The passwords within the database were stored in plaintext with no encryption or hashing."

    Yeah, well....

  4. AndrueC Silver badge
    FAIL

    33 million - ouch.

    Clear text - WT bloody F?

    1. Alan Brown Silver badge

      cleartext

      They're hardly alone. Friendfinder kept all its passwords in cleartext prior to the 2015 hack publicity (and apparently still does)

      I challenged them on this in _2004_ when I discovered it subsequent to the realisation that Manchester-based script kiddiez were running wild through their systems and leaking personal data for harrassment purposes. Their claim was that it was too hard to encrypt - and the Californian regulators weren't interested in the data leaks as it wasn't reported against californian residents.

      Yes - the issue really was reported 11 YEARS before millions of passwords were leaked.

  5. Aodhhan

    Why are we talking about passwords

    The best password in the world doesn't matter if the site storing them doesn't properly take care of it.

    The subject of this article is more about poor password storing, which affects a lot of users. If an individual decides to use a crap password, then it only affects them (for the most part).

    Lets face it, this application isn't exactly high risk if someone manages to guess or dictionary attack a simple password. So, focus needs to be on web sites which are negligent in their responsibility to protect your information.

    It doesn't take a genius to setup an encrypted database and route to and from the web service.

  6. Korev Silver badge
    Thumb Down

    Last.fm

    This would explain why I seem to be getting a lot of spam directed at the lastfm address on my domain again recently.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like