My MySpace account apparently predates my use of Gmail for my primary address[1], so I can't find the welcome email. I may try to sort through my old Maildirs later tonight to see if I can find it, but my hopes aren't high. That doesn't seem like something I would have saved. Maybe I can get close by finding the first MySpace-related email I did keep.
It's pretty amazing how much Gmail changed my habits. Prior to gmail, I had piles of arcane procmail rules, and I'd sort and prune mailboxes meticulously. Now I delete literally nothing (I just archive), and I barely even use labels. I just know that I can rely on search to find a message if I need it later.
1. I signed up for an account shortly after Gmail launched, but I've been using my own domain for my email address since the late 90s. So I used that Gmail account only for experimentation, and moved my primary domain mail over after Google Apps for Your Domain had been around long enough that I trusted it.
Just received this via email from 'Myspace Legal'.
Notice of Data Breach
You may have heard reports recently about a security incident involving Myspace. We would like to make sure you have the facts about what happened, what information was involved and the steps we are taking to protect your information.
What Happened?
Shortly before the Memorial Day weekend, we became aware that stolen Myspace user login data was being made available in an online hacker forum. The data stolen included user login data from a portion of accounts that were created prior to June 11, 2013 on the old Myspace platform.
We believe the data breach is attributed to Russian Cyberhacker ‘Peace.’ This same individual is responsible for other recent criminal attacks such as those on LinkedIn and Tumblr, and has claimed on the paid hacker search engine LeakedSource that the data is from a past breach. This is an ongoing investigation, and we will share more information as it becomes available.
What Information Was Involved?
Email addresses, Myspace usernames, and Myspace passwords for the affected Myspace accounts created prior to June 11, 2013 on the old Myspace platform are at risk. As you know, Myspace does not collect, use or store any credit card information or user financial information of any kind. No user financial information was therefore involved in this incident; the only information exposed was users’ email address and Myspace username and password.
What We Are Doing
In order to protect our users, we have invalidated all user passwords for the affected accounts created prior to June 11, 2013 on the old Myspace platform. These users returning to Myspace will be prompted to authenticate their account and to reset their password by following instructions at https://myspace.com/forgotpassword
Myspace is also using automated tools to attempt to identify and block any suspicious activity that might occur on Myspace accounts.
We have also reported the incident to law enforcement authorities and are cooperating to investigate and pursue this criminal act. As part of the major site re-launch in the summer of 2013, Myspace took significant steps to strengthen account security. The compromised data is related to the period before those measures were implemented. We are currently utilizing advanced protocols including double salted hashes (random data that is used as an additional input to a one-way function that "hashes" a password or passphrase) to store passwords. Myspace has taken additional security steps in light of the recent report.
What You Can Do
We have several dedicated teams working diligently to ensure that the information our members entrust to Myspace remains secure. Importantly, if you use passwords that are the same or similar to your Myspace password on other online services, we recommend you set new passwords on those accounts immediately.
For More Information
If you have any questions, please feel free to contact our Data Security & Protection team at dsp_help@myspace-inc.com or visit our blog at https://myspace.com/pages/blog.
"We are currently utilizing advanced protocols including double salted hashes"
Shudder. Whenever someone starts talking about double salting, triple salting or even just salting, it's usually a sign that they are doing password storage all wrong.
Salting only thwarts attacks against pre-computed lookup (i.e rainbow) tables and most attackers don't use rainbow tables nowadays to reverse hashes. Increases in GPU power have meant that it's more practical to just enumerate through all password permutations on-the-fly than do a lookup in an enormous file.
If a company is using a modern hashing algorithm purposefully designed for password storage (e.g. PBKDF2, bycrypt or scrypt), they need not even consider salts because they are automatically incorporated into the algorithm and are transparent to the implementor.
In my opinion, the best article describing the current state of play with respect to password storage is the following:
Their attribution is incredibly incorrect, in fact possibly criminally so as I'm not sure if "Peace" has done anything illegal here. The person they're referring to is just a middleman, and most Russians tend to be able to speak Russian.
This isn't very surprising though, these guys are as incompetent as they get. Few years ago when I audited some of their stuff they still hadn't ditched all their legacy coldfusion code (and had debugging turned on on public facing sites for gods sake). Didn't take the DB then but probably could have.
"The passwords are stored as SHA1 hashes of the first 10 characters of the password converted to lowercase. That's right, truncated and case insensitive passwords stored without a salt"
I'm surprised this fact is not getting more attention. In theory, this means that a MySpace account with a password of Welcome1234567 could be logged into with a password attempt using any of the following examples:
In essence, case sensitivity and the 11th character onward are completely ignored. This vastly reduces the total key space. To compound the problem, SHA-1 has been used which is not suitable for password storage (salted or otherwise) because it's an intentionally fast algorithm. This means an attacker can more efficiently run all permutations through the hash function to find a hash match and hence the password. In fact, as I've described above, the attacker doesn't even need to retrieve the exact password to gain access to the account. They just need an input that will produce an identical SHA-1 hash (i.e. an input containing the same first 10 (case insensitive) characters as the original password).
Based on the work I've done reversing password hashes in bulk (legitimately for clients in penetration testing engagements), I'd suggest that at least 80% of the reported ~360 million hashes could be reversed within a few days with access to the full data set and $5k worth of commodity GPU hardware. And you can guarantee that these passwords will be used in future attacks against other web sites because of how common password reuse is. Frightening.
Not quite as frightening as the schemes some financial institutions use... one that immediately comes to mind is 6 digits, no more or less, and probably stored in plaintext. Then again, bruteforcing attempts are usually very easily noticed and kept from succeeding on such systems.
Sure. But it would be a stretch to find any financial institution with as many as 360 million customer records. Maybe one of the state-owned commercial banks in China being the exception.
And more to the point, the corresponding email addresses and/or usernames in the MySpace breach are leaked along with the password hashes. The same email address and password combinations will be tried on other web sites (e.g. Amazon, Facebook) with a reasonable chance of success. No brute force necessary.
My previous bank ( ASB ) used to truncate passwords. I found out because one day I was trying to enter my password and it kept refusing it until I left off the last two characters. It turns out that they had stopped truncating or perhaps just increased the length, and so my 10 character password was just an 8 character one all along. It kind of boggles my mind that a bank would do that.
13 comments
[ 3.0 ms ] story [ 43.9 ms ] threadIt's pretty amazing how much Gmail changed my habits. Prior to gmail, I had piles of arcane procmail rules, and I'd sort and prune mailboxes meticulously. Now I delete literally nothing (I just archive), and I barely even use labels. I just know that I can rely on search to find a message if I need it later.
1. I signed up for an account shortly after Gmail launched, but I've been using my own domain for my email address since the late 90s. So I used that Gmail account only for experimentation, and moved my primary domain mail over after Google Apps for Your Domain had been around long enough that I trusted it.
Second, find a restaurant that the breach likes...
Notice of Data Breach
You may have heard reports recently about a security incident involving Myspace. We would like to make sure you have the facts about what happened, what information was involved and the steps we are taking to protect your information. What Happened?
Shortly before the Memorial Day weekend, we became aware that stolen Myspace user login data was being made available in an online hacker forum. The data stolen included user login data from a portion of accounts that were created prior to June 11, 2013 on the old Myspace platform.
We believe the data breach is attributed to Russian Cyberhacker ‘Peace.’ This same individual is responsible for other recent criminal attacks such as those on LinkedIn and Tumblr, and has claimed on the paid hacker search engine LeakedSource that the data is from a past breach. This is an ongoing investigation, and we will share more information as it becomes available. What Information Was Involved?
Email addresses, Myspace usernames, and Myspace passwords for the affected Myspace accounts created prior to June 11, 2013 on the old Myspace platform are at risk. As you know, Myspace does not collect, use or store any credit card information or user financial information of any kind. No user financial information was therefore involved in this incident; the only information exposed was users’ email address and Myspace username and password. What We Are Doing
In order to protect our users, we have invalidated all user passwords for the affected accounts created prior to June 11, 2013 on the old Myspace platform. These users returning to Myspace will be prompted to authenticate their account and to reset their password by following instructions at https://myspace.com/forgotpassword
Myspace is also using automated tools to attempt to identify and block any suspicious activity that might occur on Myspace accounts.
We have also reported the incident to law enforcement authorities and are cooperating to investigate and pursue this criminal act. As part of the major site re-launch in the summer of 2013, Myspace took significant steps to strengthen account security. The compromised data is related to the period before those measures were implemented. We are currently utilizing advanced protocols including double salted hashes (random data that is used as an additional input to a one-way function that "hashes" a password or passphrase) to store passwords. Myspace has taken additional security steps in light of the recent report. What You Can Do
We have several dedicated teams working diligently to ensure that the information our members entrust to Myspace remains secure. Importantly, if you use passwords that are the same or similar to your Myspace password on other online services, we recommend you set new passwords on those accounts immediately. For More Information
If you have any questions, please feel free to contact our Data Security & Protection team at dsp_help@myspace-inc.com or visit our blog at https://myspace.com/pages/blog.
Shudder. Whenever someone starts talking about double salting, triple salting or even just salting, it's usually a sign that they are doing password storage all wrong.
Salting only thwarts attacks against pre-computed lookup (i.e rainbow) tables and most attackers don't use rainbow tables nowadays to reverse hashes. Increases in GPU power have meant that it's more practical to just enumerate through all password permutations on-the-fly than do a lookup in an enormous file.
If a company is using a modern hashing algorithm purposefully designed for password storage (e.g. PBKDF2, bycrypt or scrypt), they need not even consider salts because they are automatically incorporated into the algorithm and are transparent to the implementor.
In my opinion, the best article describing the current state of play with respect to password storage is the following:
https://www.nccgroup.trust/us/about-us/newsroom-and-events/b...
This isn't very surprising though, these guys are as incompetent as they get. Few years ago when I audited some of their stuff they still hadn't ditched all their legacy coldfusion code (and had debugging turned on on public facing sites for gods sake). Didn't take the DB then but probably could have.
I'm surprised this fact is not getting more attention. In theory, this means that a MySpace account with a password of Welcome1234567 could be logged into with a password attempt using any of the following examples:
* Welcome123
* welcome123
* WeLcOMe123456789
* welcome123anythingafterthe10thcharacterdoesntmatter
In essence, case sensitivity and the 11th character onward are completely ignored. This vastly reduces the total key space. To compound the problem, SHA-1 has been used which is not suitable for password storage (salted or otherwise) because it's an intentionally fast algorithm. This means an attacker can more efficiently run all permutations through the hash function to find a hash match and hence the password. In fact, as I've described above, the attacker doesn't even need to retrieve the exact password to gain access to the account. They just need an input that will produce an identical SHA-1 hash (i.e. an input containing the same first 10 (case insensitive) characters as the original password).
Based on the work I've done reversing password hashes in bulk (legitimately for clients in penetration testing engagements), I'd suggest that at least 80% of the reported ~360 million hashes could be reversed within a few days with access to the full data set and $5k worth of commodity GPU hardware. And you can guarantee that these passwords will be used in future attacks against other web sites because of how common password reuse is. Frightening.
And more to the point, the corresponding email addresses and/or usernames in the MySpace breach are leaked along with the password hashes. The same email address and password combinations will be tried on other web sites (e.g. Amazon, Facebook) with a reasonable chance of success. No brute force necessary.