Last week members of CMS Drupal received terrifying news regarding a very serious problem – a massive data breach. The breach included leaked usernames, email addresses, users’ countries of residence and hashed passwords.
Although decrypting those passwords would not be an easy task, Drupal’s management still thought it necessary to inform customers about the incident and suggested they change their passwords as soon as possible.
This is an example of a company having a responsible attitude to this sort of situation. But for us, it is just another occasion to talk about recent massive data leaks, since the Drupal incident is not unique in the least.
Drupal: a non-unique case
In a message sent out to users, Drupal’s deputy executive director, Holly Ross, said that the company’s information security service gave unauthorized access to user accounts on drupal.org and groups.drupal.org. Attackers used a vulnerability in the “third party software installed in the server infrastructure of drupal.org”, so that the leak occurred exclusively with those servers. According to the statement, users of other resources based on CMS Drupal, such as U.S. government websites and The Economist magazine, were not affected by the incident.
“We have implemented additional security measures in order to prevent the recurrence of such attacks and to secure privacy of our community’s members,” – said the statement. Beyond this, there were strong recommendations to change passwords, despite the fact that the majority of user passwords on servers were hashed and salted. Several standard tips to ensure safety were given as well.
The letter did not say anything about the total number of affected passwords, which was about one million. And that fact allows us to rank the leak as very massive, but not unique.
The most hyped recent story, as we know, was the hacking of Sony-owned servers in April 2011. That attack affected tens of millions of people and had countless credit cards numbers leaked, and the Sony Playstation Network service did not work for several months. That particular case underwent a controversial investigation by the U.S. Congress.
The scale of the insolent raid on Sony services dwarfs the next few incidents, though some of them were still very serious. Let us briefly survey them and try to find if there was anything in common.
LinkedIn: a double impact
Almost exactly one year ago, the administration of LinkedIn, the professional social network for searching jobs and recruiting, faced a leak of 6.5 million passwords. Their hash values were published in a Russian hacker board forum.insidepro.com with a request for help (obviously for help with decoding).
Only hash values without logins were published at that time, but attackers quickly cracked (rather guessed) about 60% of the passwords by their hash values. As it turned out, the passwords were encrypted with the SHA1 algorithm and stored without the salt, which greatly facilitated the task for the attackers. Unsalted hashes were a deviation from regular practice, so the charges of negligence that came up against LinkedIn were quite reasonable.
Consequently, there was at least one phishing bulk message sent to LinkedIn users. It is still unclear how exactly the attackers managed to gain access to the database, but according to Rapid7 experts, the attackers had tried to get through to the data for several days at the very least.
Almost immediately after the hacking news, another scandal arose with LinkedIn. It appeared that their iOS clients sent all information from the Calendar application in a plain unencrypted form, which was another big hole in their security. However it is in no way connected to the aforementioned attacks.
Formspring (July 2012)
In early July 2012 28 million users of Formspring received notifications that their old passwords were disabled and new ones had to be chosen.
An official message from Formspring stated that someone had managed to find a vulnerability within the development server, which was then used to gain access to the underlying database. As a result 420,000 hashed passwords leaked and surfaced on some information security message boards.
For encryption, Formspring used the algorithm SHA-256 (a version of SHA-2), and the hash values were salted, nevertheless, Formspring administration decided it was necessary to change the algorithm to the more robust bcrypt.
Yahoo! (July 2012, January 2013)
The hacker group D33Ds Co. showed off by publishing logins and passwords to Yahoo! mail accounts that they managed to steal from Yahoo! Voices by means of SQL injection, proving the attacked server had very poor protection. This situation was especially bad because the usernames and passwords were stored in plain text.
Moreover, the published information contained not just Yahoo! mailbox accounts, but it also included addresses and passwords for Gmail, Hotmail and AOL, all for public access.
Yahoo! Voices was created originally by the independent developer Associated Content for accumulating user content. Yahoo! purchased it in 2010 for $100 million. Hackers claimed that they intended to punish Yahoo! for neglecting precautions and were not going to harm anyone with their attack. Yahoo! countered that only 5% of the leaked usernames and passwords remained valid.
An unofficial source within Yahoo! stated: “Lots of Yahoo! mail accounts were broken into last week by computers all over the world. It seems a botnet was used to do it. The hackers might have accessed some of the accounts through Apple iPhone’s Yahoo! Mail app, as account security logs show that as one of the hack entry points.”
To be continued…