Last updated on Feb. 26, 2014: added the massive cache reported by Hold Security
Motivation: High Rate of Password Theft
Over the past few years one cannot follow technology news without feeling that the rate of account credential theft including passwords, encrypted or not, and personally identifying information has been accelerating. I’ve written several articles on ways to mitigate risk and make it very easy to respond when such a theft happens.
The process starts with using a password database manager like KeePassX or LastPass (and if one chooses an offline solution like KeePassX it’s wise and not inconvenient to use encryption and cloud syncing to make things easier without sacrificing security). It continues with gathering up one’s online accounts and changing the passwords to unique, random, and strong passwords using the password database software.
In fact it was news that Kickstarter was hacked and account credentials were compromised today that prompted me to begin this list. It took me all of a minute to lock my account back down with a new 100-character random password and no other account was ever at risk. Therefore my primary motivation in making this list is to provide a long list of reasons to adopt password security practices such as mine. They honestly make one’s life simpler (memorize one or two strong passwords versus memorizing and inevitably forgetting tens or hundreds of weak ones) and it’s far easier to respond to these increasingly common account credential thefts.
I’ll be doing my best to keep this list up to date including filling in gaps by researching past incidents.
The Long List of Password Breaches
Feb. 25, 2014: Security firm Hold Security reported a total of 360 million account credentials in the first three weeks of February were made available for sale on black market websites that specialize in these trades. Additionally they reported a sum of 1.25 billion email addresses were for sale which can be compromised by phishing attacks. Note that this is a cumulative figure for three weeks of February and is comprised of several smaller breaches, but the scale is still significant and substantial.
Feb. 15, 2014: The popular crowdfunding platform Kickstarter was breached resulting in the theft of account information and personally identifying information. Account holders received an email claiming that usernames, email addresses, mailing addresses, and encrypted passwords were stolen but credit cards were not. It’s noteworthy that Kickstarter learned of the breach through law enforcement officials the preceding Wednesday; it took them four days to notify its users. That’s four days when weak passwords may have already been cracked and reused to compromise accounts using the same credentials — again, the inability to trust third parties to be responsible is another reason never to reuse passwords.
Feb. 15, 2014: The Syrian Electronic Army (SEA) breached Forbes blogs and claims it will publish over a million user account credentials. The SEA claimed (as of this writing this is unconfirmed) that social engineering was part of the intrusion; I’ve commented on social engineering attack vectors and I reiterate my point that we can never trust our personal security to third parties who are every bit as susceptible to human error as the rest of us, so to the best of our ability we must take our security into our own hands.
Jan. 30, 2014: Yahoo accounts were breached prompting Yahoo to reset passwords. Ars Technica reported that shared account credentials obtained from other attacks played a large role in this breach; this is a direct reminder that reusing passwords between accounts poses a large risk, and this underscores the utility provided by password database managers as described in the motivation section.
Dec. 4, 2013: Plaintext account credentials were stolen for two million users of sites including Facebook, Google, Yahoo, and Twitter due to keylogging software. This is a case that illustrates that it’s not always third parties that drop the ball; ensure that you apply the latest software updates which typically include security patches, and use common sense when opening suspicious emails or websites.
Oct. 3, 2013: Adobe disclosed that data including billing information and account credentials of 2.9 million customers was stolen, but it was later revealed on Nov. 7, 2013 that over 150 million people were affected by the breach.
Jul. 22, 2013: The Ubuntu forums were breached and usernames, passwords, and emails were stolen; the usual warning about users who reused that password was given.
May 29, 2013: Those with accounts on the Drupal website had usernames, emails, encrypted passwords, and country information stolen. Note that this case specifically affected users of drupal.org and groups.drupal.org as opposed to the CMS software itself. Drupal immediately issued password resets.
Apr. 26, 2013: Over 50 million LivingSocial users had their name, email, birthdate, and password compromised after a security breach. Ars Technica reported the encrypted data was easily decrypted owing to use of plain SHA1 hashing, but it’s at least praiseworthy that barely a day later LivingSocial revised their hashing method to bcrypt (but unfortunate that they clearly had the expertise to do this prior to the hack and failed to do so).
Mar. 4, 2013: About 50 million Evernote users likely had their username, email, and encrypted passwords stolen. It’s not clear whether their password storage practices allowed for attackers to decrypt them, although the emails alone would allow attackers to use phishing methods to try to obtain more information that way.
Feb. 14, 2013: The hacker group Anonymous publicly posted emails, MD5 hashed passwords, and hash salts for 600,000 accounts from the Walla! site, a popular Israeli site. Due to the nature of these hashes and the fact the salts were included, the plaintext passwords are effectively exposed to the world.
Feb. 1, 2013: Members of the hacker group Anonymous obtained about 250,000 Twitter usernames, emails, and passwords. Twitter claimed it quickly reset passwords and user session tokens for affected accounts, but at the very least this increased the pool of known account credential combinations putting those who reuse credentials between accounts at further risk.
Jul. 23, 2012: About 8 million emails and encrypted passwords were stolen from Gamigo and posted publicly; posters on the password-cracking forum where the data was posted suggested over 94% of the passwords were decrypted within a half-hour — even if this claim was exaggerated it’s not unreasonable to expect that it wasn’t long before the passwords were decrypted.
Jul. 13, 2012: NVIDIA disclosed that account credentials of users of its developer forms were compromised and closed the forums for several weeks as a result. NVIDIA cautioned users who shared their password with other accounts.
Jun. 6, 2012: Hackers breached LinkedIn and compromised 6.5 million accounts, and a day later at least 60% of the passwords were decrypted. According to Sophos researcher Chester Wisniewski, LinkedIn used unsalted SHA1 hashes for its passwords which are trivially attacked by rainbow tables, thereby explaining why it only took a day to decrypt the majority of the passwords. Third parties cannot be trusted with security best practices: one must assume that all information stored by third parties is at risk.
May 8, 2012: Account credentials for about 60,000 Twitter accounts were published on Pastebin. Twitter suggested that more than half were accounts of blocked bots or duplicate information, and a cursory analysis of the raw data makes this seem likely, but that still leaves a large number of actual users affected.
Jan. 16, 2012: A breach at Zappos revealed mailing addresses and account credentials for about 24 million customers, and the last four digits of their credit cards may have been available. We have seen recently that even the last four digits of card numbers can be used in social engineering attacks so if that was the case that would be significant.