June is upon us and with it comes some of life’s sweet little pleasures – lazy summer vacations, long, hot, sticky days and apparently mega-huge database hacks. Yup, you read that right. It sure would have been nice to say that the early summer months mean sharing your double dip ice cream come with your dog, but sorry Rex, not this year.
In 2016, so far June is sizing up to be the month of the database hack. Just how many websites have had their databases hacked and seen their user’s passwords and login credentials leaked on to the dark web as of the end of May? Well, let’s count and see.
LinkedIn – First there was the LinkedIn data dump we told you about a few weeks ago, in which 165 million emails and passwords were hacked. The hack itself took place in 2012 but the information from the dump just surfaced on the dark web in May, prompting LinkedIn to reset passwords and alert their users to potential security issues. The whole dump is being offered for sale by a grey hat hacker using the name “Peace” on the dark web forum “The Real Deal” for the bargain price of $2200.
Tumblr – Then just a few days after that, Tumblr, the microblogging/social media platform announced that it too had been a victim of a database hack, back in 2013 in which 65 million passwords were nicked. Tumblr too was in the dark about the hack until May and now those passwords and logins are also up for sale on the same dark web marketplace as the LinkedIn data, all for the low, low price of $150.
Granted, the reason the lot is being sold for so little is that the passwords were very heavily salted. No, it’s not that the hackers are on a low NaCl diet, salting is the process of applying a random string of data to passwords to further modify an already hashed (encrypted) value. Since there isn’t too much a hacker can do with the info, it’s not all that valuable. But props to Tumblr for making their passwords so darn hard to crack!
Myspace – Up next in the database hackathon, Myspace, the social media network that you probably forgot you were ever on, announced that their data base had been breached and along with it came a staggering 350 million passwords and logins.
Wait, before you pat yourself on the back for not having used the site since like 2007, understand that if you ever had an account, your password, as old as it may be, is still stored on their servers. And guess what?! Peace is selling the whole load for $2800! And unlike the still-around and sort of useful tumblr, turns out that Myspace did a pretty crummy job of protecting the passwords in its keep. The passwords were hashed (converted into a random string of text representing the original data) with the now-outdated SHA1 cryptographic algorithm, and there was no salting applied whatsoever, making those stolen credentials relatively easy to crack. Yeesh.
VK.com – Moving right along, and entering into the sunny month of June, VK.com, the Facebook of Russia and the largest social network in Europe, announced that their database was breached, snagging 100 million plaintext passwords with it.
Wait, did you say plaintext?
Just what is plaintext? The words you are reading right at this moment are plaintext. No hashes, no salts, nada, zippo. So these hackers just stole a boat-load of ready-to-use passwords. Not surprisingly, Peace is selling the lot for just one bitcoin, or $580.
Baddo? Twitter??! – But wait, there’s more! On June 2nd, Motherboard.com reported that passwords usernames, email addresses and dates of birth associated with accounts on the dating-focused, Europe-based social network Badoo, began showing up in dark web marketplaces. The exact number of accounts associated with the hack is unknown and Badoo, for its part, says the claims are unsubstantiated.
Regarding the potential Badoo hack, security expert Troy Hunt cautions people from jumping to conclusions when it comes to hacks that have not been verified “I’m concerned to see claims that don’t appear to have been fully substantiated….Accusations of a site being hacked have serious consequences.” That being the case, we won’t even mention that just today, sources are springing up with claims of leaked Twitter passwords and login credentials for sale in the last week on dark web forums…
Well isn’t this just a tad disheartening
In 2012, the then-FBI director Robert Mueller said at the annual RSA security conference “I am convinced that there are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again.” If we can learn anything from the hacking marathon of the past few weeks it’s that we cannot leave our digital security in the hands of others and expect that it will be kept safe. Perhaps a few years back you could have created an account on a website, expecting your password to protect your data behind it. Clearly this is no longer the case.
Nowadays your best bet is to enable multi-factor authentication for all your logins and disable zombie accounts that you no longer use, like your very-defunct Myspace account.
Meanwhile here are some tips to follow if you think your information has already been compromised in a breach:
- Go to haveibeenpwned.com, Troy Hunt’s website and see if your information comes up there. If it does, you know your information has been compromised.
- Change all (and we mean ALL) your passwords immediately. Follow the instructions here to create solid new passwords for all you accounts .
- Watch out for phishing emails. Now that your email address has been exposed and is up for sale, you’ll probably get a truckload of spam . Most of it is clearly junk but every now and then a savvy spammer/phisher comes up with a convincing story. Just remember they are targeting you so keep your guard up at all times
- Keeping in mind that your email address is floating round the dark web, make sure you have a reliable anti-malware program like RAV Endpoint Protection to block any malicious attachments or links in emails that may come your way.
One factor that remains unknown in this mega-spate of hacks is whether “Peace” himself is behind the all the hacks or if he is just the liaison between hackers and marketplaces. And because he is selling the data on the dark web, which is encrypted, he is essentially untraceable, so at the moment, he is free to do as he wishes with the data dumps therein. As time goes on and more details emerge, let’s hope more passwords and hacks don’t emerge as well.