Robinhood Stored Passwords in Plaintext
"When you set a password for your Robinhood account, we use an industry-standard process that prevents anyone at our company from reading it. On Monday night, we discovered that some user credentials were stored in a readable format within our internal systems. We wanted to let you know that your Robinhood password may have been included.
We resolved this issue, and after thorough review, found no evidence that this information was accessed by anyone outside of our response team. Out of an abundance of caution, we still recommend that you change your Robinhood password.
We take matters like this seriously. Earning and maintaining your trust is our top priority, and we’re committed to protecting your information. Let us know if you have any questions–we’re here to help.
Sincerely,
The Robinhood Team"
If you've used Robinhood in the past, it's a good idea to check your emails!
172 comments
[ 3.0 ms ] story [ 243 ms ] threadThey've supported MFA for awhile, so simple enough to reset a password and make sure MFA is turned on.
I prefer when companies are proactive.
https://www.bleepingcomputer.com/news/security/twitter-admit...
I guess you could install it as a Linux system which searches through all plaintext traversing the network AND filesystems of the entire infrastructure. Which might be a good business idea if you could pull it off.
Why is the headline misleading? I mean, they say in black and white that they stored passwords in a readable format. The headline is completely factual.
If my password gets compromised, it's irrelevant where Robinhood stored it, just that they did so in plain text. That it was stored in text files, in a database, or handwritten on pink post-it notes doesn't make much difference.
That said, there are more than just logs to worry about. Is your service-to-service traffic encrypted? Then passwords are in the tcpdumps that you took to analyze a strange networking bug (you then copied the password to your workstation to look at the trace in wireshark). Do your programs segfault and core dump? Then passwords are probably in that core dump. Do you check the bounds of every memory read and write operation? Then passwords are probably in random variables (see: Heartbleed/Cloudbleed).
Sessions, though, are less scary. Sure, if you steal someone's cookie internally, you can impersonate that user on your own services. Nobody wants that, because it probably bypasses all the internal auditing systems; the auditing system can't tell that request apart from a legitimate user request. But, cookies can be revoked and have a shorter lifetime than a passwords, so it's not quite as bad.
Ultimately, it's all about limiting risk. If you have a database full of passwords, then someone compromising that database today gets all passwords ever. If you have a disk full of logs full of passwords, someone gets all the passwords that were used to log in within that log server's retention time period. If someone hacks in and starts tcpdumping your internal network and it's not encrypted, they only get passwords from users that log in while they're running tcpdump. If you encrypt network traffic, then someone only gets passwords that were in memory when your binary crashed. Nothing is perfect, but you can do more to add more security. Perfection is impossible, but not logging passwords is one step closer to perfection.
Then they are useless to anyone who steals them, since a TLS channel ID can't be recreated except with access to the TPM of the computer which initially created the cookie/session/TLS connection.
Given the frequency that this occurs, I wonder if it'd be a good practice to use a sentinel value for a password during testing and grep logs for it.
As they're incredibly opaque about what they're doing, it's hard to tell whether they're part of the "get it wrong" crowd, but being incredibly opaque about what they're doing doesn't bode well.
Otherwise its vulnerable to replay attacks
Anyway, it's been a long time ago, and if I had to do it again today, i would rather not roll my own.
Specifically if you hash the password client side then the hash fundamentally becomes the password, and having that sit plaintext in logs is identical to the pre-hash password since both can re-played to authenticate.
I believe this is still a respected/secure version of what you describe:
https://en.wikipedia.org/wiki/Secure_Remote_Password_protoco...
(Provided either you, or all the other services using this scheme, are sensible enough to salt with a string unique to their website such as a domain name)
Yes. I thought that was pretty common practice. We catch PII (not just password) log-leaks this way that verifying this way often enough that our developers have even learned[1] to check the searches before we yell at them when they try to take something leaky to prod.
If you don't automate detection of things like this you will make the same mistake again.
[1] Not being down on developers, I used to be one and still write a lot of code. Just noting a somewhat less than universal interest in compliance issues.
Is there a compliance document that requires this approach?
Or is it that the compliance states reasonable safety whilst handling PII and security credentials, and that it is down to the interpretation by each individual company as to what that means.
"Secure" text inputs get the system keyboard, regardless of the user's custom installed keyboard.
That is a seriously sad reflection on the poor quality of the software cranked out today.
Someone should be losing their job.
If that isn't what happened, someone should be losing their job. The minute you think diagnosing network problems is a reason to ignore security to a degree that your users need to be notified you're incompetent.
If they just left a log or capture file around somewhere, nope. Everyone makes mistakes.
I guess that's where you and I differ. There are certain mistakes that are tolerable. But ones that result in mass emailing to your clients that they need to change their passwords are not. I'd never heard of robinhood.com before, but now I have, and my impression is I'd never trust them because they have staff that makes mistakes with my secure information.
Think of how robinhood.com's employees feel about this. Management, and the people who are now watching the fallout rob the company of revenue.
Telling me that the person who made that mistake is gone might make me think differently.
The minute you start taking users name and passwords you're in the big boy world and need to treat it as such. Mistakes can be fatal, not just for your job, but your company.
Some organizations would simply ignore this and move on. You'd never know it even happened.
https://www.zdnet.com/article/github-says-bug-exposed-accoun...
https://arstechnica.com/information-technology/2018/05/twitt...
https://www.theverge.com/2019/3/21/18275837/facebook-plain-t...
Just my 2 c
Also, there are zero-knowledge authentication systems, but they are somewhat iterative due to their probabilistic nature. They are secure in the face of an imposter authentication service, as the password (or a hash, obviously) has to be stored in the real authentication service. But it is never transmitted after this initial store, so no amount of logging or posing as an evil imposter risks disclosure.
Nobody is going to lose their job over this because the practical consequences are that you have to send out an "our bad" email and offer a credit protection voucher that most customers won't actually use. There are no costs.
Not that that someone is necessarily the person who actually turned on this logging, it could be their supervisor who let it go live, or QA or… wherever the buck stops.
Except you can't really except that.
You must ALWAYS hash the password (as a salted iterated cryptographic hash) on the server. You can in ADDITION also hash the password on the client end, but by itself that's not enough.
The issue, as usual, comes down to "what is the attack you're trying to thwart"? If you hash on the client and not the server, then when (not if) the attacker manages to download the hashed password set, the attacker can create a modified client & send those hashes directly. If you don't hash on the server, it's exactly the same as storing passwords as clear text, because you're storing the data that an attacker can directly use to log in.
You can also hash the password on the client IN ADDITION to the server. In that case, you're hiding from the server the actual password you type in. That's an improvement if you're sharing a single password across many services; in this case the attack you're trying to thwart is to prevent an attacker from actively capturing the password & trying to reuse the password on other systems. However, a much better idea is to not share a single password anyway, so it's not such a great thing.
To be clear, it would have prevented these logged passwords from impacting other websites if the true cause of the Robin Hood password reset was a logging issue.
As a user, you can prevent this from happening either way by choosing strong, unique passwords for every service.
I've also wondered why this isn't more common.
[1] https://blog.cryptographyengineering.com/2018/10/19/lets-tal...
I wonder why PAKEs haven’t caught on?
This article (somewhat ironically) talks about it:
https://arstechnica.com/information-technology/2012/08/hacke...
Overview, Scheme_0: - You send your unique identifier (email, username, etc) and password to the server in plaintext. - The server looks up the password hashing scheme and salt associated with your identifier - The server checks that salt+password+hashing scheme produce the stored hash - Server kicks back proper response
In your scenario, Scheme_1: - You prehash the password locally and send your identifier + prehashed_password to the server - The server looks up the password hashing scheme and salt associated with your identifier - The server checks that salt+prehashed_password+hashing scheme produce the stored hash - Server kicks back proper response
The only difference is the extra hashing step. From a security perspective, there is no gain; storing the prehashed_password from Scheme_1 in plaintext (e.g. logs) is no different than storing the password from Scheme_0 in plaintext.
PAKEs are probably a good idea across the board.
As others have pointed out, if you go for complexity, there are better schemes. However, by avoiding the complexity you keep simpler client side code.
Especially because this is standard, whilst doing extra stuff would involve doing your own crypto code.
Security is a long term investment and it's easy to mess up. Taking responsibility and being transparent when you don't is the only way you're going to get it right.
There are some reverse proxies that are being sold as a way to mirror HTTP data to metric/analytics systems, which would bypass built-in filtering mechanisms which automatically remove passwords from logs (as Rails does). Metric/big data systems are an easy place for sensitive data leaks to happen. So your web developers could be getting security 100% right but some higher level systems integration with an analytics or ops software (requested by marketing or BI guys or whatever) could mess it up.
>>> When you set a password for your Robinhood account, we use an industry-standard process that prevents anyone at our company from reading it. Additionally, our policy is to not store usernames and passwords for any bank accounts that you link to your Robinhood account.
On Monday night, we discovered that some user credentials were unintentionally stored in a readable format within our internal systems. We wanted to let you know that your Robinhood password and linked bank account credentials may have been included. <<<
What level of incompetence is required to have accidentally logged bank account credentials?
This is not simple logging of login, oops, this is a very serious breach of basic security.
I remember on a bank's IVR I was auditing, required "_random 2 out of your 4 characters of a PIN_" (not your card's but dedicated to a call center support - that gave you full access to your accounts though) was being recorded/logged together with any phone key press (e.g. your customer ID). It was possible (if obtaining the logs of a few of a customer's calls) to reconstruct the PIN (e.g. call1#1 you press 1, 3, call#2 you press 1,2, call#3 you press 2,4). Those logs were scrubbed/dropped once a year, so for a frequent IVR user it was easy to reconstruct your IVR PIN. The folder containing the logs was a Windows shared folder with Everyone/Everyone (share/modify).
You should have seen the COO's face as I was describing how easily this could have been abused (likelihood), and how it could open a floodgate of serious problems for the bank (impact).
Also, use two factor authentication, of course. If you are going the U2F route, I highly recommend having a permanent key for each computer and a bluetooth+NFC key for on-the-go. It’s a worthwhile investment.
My biggest problem today is that it is tedious to generate and save new passwords on mobile, which is increasingly where I do so... but security always comes with some costs, I suppose.
1) Logged into website with LastPass 2) Had to enter a second piece of identifying info (like a PIN). 3) Once entered, LastPass thought the PIN was a new password and prompted me, "Would you like to update the login to [url] with the new password?" 4) I clicked "No". 5) Some kind of network hiccup or communication failure happened, the pop-up kinda hung there for a bit. 6) I opened the vault and checked the password for that site. LP had apparently not honored my request and replaced the password and, more disturbingly, the password history was missing.
Luckily I had my phone on me, and evidently it hadn't synced with LP's servers in the last few minutes, so I was able to pull out the old version of the password from the cached version of the fault and manually re-enter it on my computer to get the password fixed.
I've never been able to reproduce the issue after that (although I'm not keen to try). But it did happen.
LP also used to be pretty terrible at automatically saving passwords you entered into a form, even if you explicitly used the random password that LP generated. You really had to copy+paste it into notepad just as a backup until you could successfully confirm that it made it to the vault.
You should also memorize important passwords still. I know my personal Google password, for example.
20 years ago when I was in high school a friend of mine bought a hardware key logger. It went inline between the keyboard and computer. He would leave it on library computers to get the firewall password and to mess with other students. You never know when a machine is compromised.
Sure, you shouldn't, but sometimes you have no other choice. The simplest case that comes to mind are the tourists who need to print boarding passes using the self-service computers in their hotel (or, even worse, at some printing shop down the street).
I would definitely change my password afterwards, though.
How do you deal with services that only permit a single key to be registered to each account? (Notably AWS. But they're not alone in this limitation.)
This is what taking security more seriously looks like.
The lazy company doesn't even bother to look for problems like this, never finds them, and then an attacker eventually gains access to the plaintext passwords and compromises their customers.
The shortsighted company finds the problem and fixes it silently, even though they should really notify users to change their passwords to mitigate the possibility that the plaintext passwords were already compromised.
The company that takes security more seriously does own up to it despite the PR hit.
The company refused to do anything. No emails sent, not even a forced password reset. The dev who made the mistake responded with "This is not a real concern. I am disappointed we spent so much time working on this." I brought it up with the CTO who essentially did nothing. Then I brought it up with CEO who came to our standup where the responsible dev than said something along the lines of "we don't serve any heads of state, so it doesn't really matter." CEO did nothing. I emailed the general counsel who told me no one else brought it up with him.
I think I gave notice 2 weeks later. The general counsel apparently left within a year (not sure if related).
I assume this is what happened here, but maybe Robinhood will elaborate at some point.
>On Monday night, we discovered
Because one casually does security audits on a Monday night and then releases a "nothing has come to our attention" statement?
The one is proactive (on a monday night?) the other speaks of a response to an external actor. Which is it?
The mere fact that a release like this happened suggests some sort of legal/SEC/accounting requirement was triggered. i.e. Something happened.
I use Bitwarden, which has a way of checking password dumps, but only for individual passwords. I have over a hundred entries, so checking that frequently is quite time consuming.
I've decided to just switch my email on as many sites as possible using a few aliases to make put them into buckets, but there has to be an easier way...
This is the most frustrating thing about hibp. I have hundreds of passwords on hundreds of services. "we found your email in a dump" doesn't help me if I don't know which server you found it for.
Transferwise switched to requiring this and it's a miserable feature. Lost me as a customer because of it.
Never give your bank password to anyone other than your bank.
This should really be a forced reset. Not finding evidence that it was accessed isn't proof that it wasn't.
That is complete bullshiting pr spin and I'm greatly concerned about my account.
Gee wiz I wonder if anyone on the response team could have done something. Or a dev with nefarious purposes like guy that rigged the lottery multiple times.
GREETINGS EVERYONE, are you looking for a LEGIT and Trustworthy HACKERS with 100% Guarantee and you want to get your job done urgently withing one Hour or you are face with delay and unnecessary excuses and error on your job?. Then Worry no more because easyhackingguru@gmail.com are the Best Bet in any hacking Services. They are ready to render and attend to your job with swift response and No delay at all.
Their services are outlined as follows:
. LONG TIME LOAN GIVING
. PROFESSIONAL in SCHOOL GRADE changing
. WHATSAPP Hack
. FACBOOK hack
. PROFESSIONAL in any BANK ACCOUNTS TRANSFER
. TWITTERS hack
. EMAIL,YAHOOMAIL and HOTMAIL ACCOUNTS hack
. WEBSITE CRASHED hack
. SERVER CRASHED hack
. SALES OF SPYWARE and KEYLOGGER SOFTWARE
. RETRIVAL OF LOST FILES and DOCUMENTS
. ERASE and EXPUNGE of CRIMINAL RECORDS
. DATABASE hack
. SALES of ATM CARDS in WHITE
. SKYPE hack
. PAYPAL hack
. DROPBOX ACCOUNT hack and Lots more..........
CONTACT: their services at easyhackingguru@gmail.com and you will be glad you did
whatsApp contact- +1(216)525-9704