
Dating the ginormous MySpace breach - Navarr
https://www.troyhunt.com/dating-the-ginormous-myspace-breach/
======
amjo324
_" The passwords are stored as SHA1 hashes of the first 10 characters of the
password converted to lowercase. That's right, truncated and case insensitive
passwords stored without a salt"_

I'm surprised this fact is not getting more attention. In theory, this means
that a MySpace account with a password of Welcome1234567 could be logged into
with a password attempt using any of the following examples:

* Welcome123

* welcome123

* WeLcOMe123456789

* welcome123anythingafterthe10thcharacterdoesntmatter

In essence, case sensitivity and the 11th character onward are completely
ignored. This vastly reduces the total key space. To compound the problem,
SHA-1 has been used which is not suitable for password storage (salted or
otherwise) because it's an intentionally fast algorithm. This means an
attacker can more efficiently run all permutations through the hash function
to find a hash match and hence the password. In fact, as I've described above,
the attacker doesn't even need to retrieve the exact password to gain access
to the account. They just need an input that will produce an identical SHA-1
hash (i.e. an input containing the same first 10 (case insensitive) characters
as the original password).

Based on the work I've done reversing password hashes in bulk (legitimately
for clients in penetration testing engagements), I'd suggest that at least 80%
of the reported ~360 million hashes could be reversed within a few days with
access to the full data set and $5k worth of commodity GPU hardware. And you
can guarantee that these passwords will be used in future attacks against
other web sites because of how common password reuse is. Frightening.

~~~
userbinator
Not quite as frightening as the schemes some financial institutions use... one
that immediately comes to mind is 6 digits, no more or less, and probably
stored in plaintext. Then again, bruteforcing attempts are usually very easily
noticed and kept from succeeding on such systems.

~~~
amjo324
Sure. But it would be a stretch to find any financial institution with as many
as 360 million customer records. Maybe one of the state-owned commercial banks
in China being the exception.

And more to the point, the corresponding email addresses and/or usernames in
the MySpace breach are leaked along with the password hashes. The same email
address and password combinations will be tried on other web sites (e.g.
Amazon, Facebook) with a reasonable chance of success. No brute force
necessary.

------
zippergz
My MySpace account apparently predates my use of Gmail for my primary
address[1], so I can't find the welcome email. I may try to sort through my
old Maildirs later tonight to see if I can find it, but my hopes aren't high.
That doesn't seem like something I would have saved. Maybe I can get close by
finding the first MySpace-related email I did keep.

It's pretty amazing how much Gmail changed my habits. Prior to gmail, I had
piles of arcane procmail rules, and I'd sort and prune mailboxes meticulously.
Now I delete literally nothing (I just archive), and I barely even use labels.
I just know that I can rely on search to find a message if I need it later.

1\. I signed up for an account shortly after Gmail launched, but I've been
using my own domain for my email address since the late 90s. So I used that
Gmail account only for experimentation, and moved my primary domain mail over
after Google Apps for Your Domain had been around long enough that I trusted
it.

------
kaosjester
There are two kinds of companies in today's world: those who have been hacked,
and those who don't know it yet.

------
matthewowen
Pretty impressive that he managed to find people who joined MySpace in 2008.
Unicorns!

------
projectramo
First, ask nicely for the breach's number.

Second, find a restaurant that the breach likes...

~~~
wonkaWonka
She has such a pretty face, and what a personality!

------
nowherecat
Just received this via email from 'Myspace Legal'.

Notice of Data Breach

You may have heard reports recently about a security incident involving
Myspace. We would like to make sure you have the facts about what happened,
what information was involved and the steps we are taking to protect your
information. What Happened?

Shortly before the Memorial Day weekend, we became aware that stolen Myspace
user login data was being made available in an online hacker forum. The data
stolen included user login data from a portion of accounts that were created
prior to June 11, 2013 on the old Myspace platform.

We believe the data breach is attributed to Russian Cyberhacker â€˜Peace.â€™
This same individual is responsible for other recent criminal attacks such as
those on LinkedIn and Tumblr, and has claimed on the paid hacker search engine
LeakedSource that the data is from a past breach. This is an ongoing
investigation, and we will share more information as it becomes available.
What Information Was Involved?

Email addresses, Myspace usernames, and Myspace passwords for the affected
Myspace accounts created prior to June 11, 2013 on the old Myspace platform
are at risk. As you know, Myspace does not collect, use or store any credit
card information or user financial information of any kind. No user financial
information was therefore involved in this incident; the only information
exposed was usersâ€™ email address and Myspace username and password. What We
Are Doing

In order to protect our users, we have invalidated all user passwords for the
affected accounts created prior to June 11, 2013 on the old Myspace platform.
These users returning to Myspace will be prompted to authenticate their
account and to reset their password by following instructions at
[https://myspace.com/forgotpassword](https://myspace.com/forgotpassword)

Myspace is also using automated tools to attempt to identify and block any
suspicious activity that might occur on Myspace accounts.

We have also reported the incident to law enforcement authorities and are
cooperating to investigate and pursue this criminal act. As part of the major
site re-launch in the summer of 2013, Myspace took significant steps to
strengthen account security.Â The compromised data is related to the period
before those measures were implemented. We are currently utilizing advanced
protocols including double salted hashes (random data that is used as an
additional input to a one-way function that "hashes" a password or passphrase)
to store passwords.Â Myspace has taken additional security steps in light of
the recent report. What You Can Do

We have several dedicated teams working diligently to ensure that the
information our members entrust to Myspace remains secure. Importantly, if you
use passwords that are the same or similar to your Myspace password on other
online services, we recommend you set new passwords on those accounts
immediately. For More Information

If you have any questions, please feel free to contact our Data Security &
Protection team at dsp_help@myspace-inc.com or visit our blog at
[https://myspace.com/pages/blog](https://myspace.com/pages/blog).

~~~
amjo324
_" We are currently utilizing advanced protocols including double salted
hashes"_

Shudder. Whenever someone starts talking about double salting, triple salting
or even just salting, it's usually a sign that they are doing password storage
all wrong.

Salting only thwarts attacks against pre-computed lookup (i.e rainbow) tables
and most attackers don't use rainbow tables nowadays to reverse hashes.
Increases in GPU power have meant that it's more practical to just enumerate
through all password permutations on-the-fly than do a lookup in an enormous
file.

If a company is using a modern hashing algorithm purposefully designed for
password storage (e.g. PBKDF2, bycrypt or scrypt), they need not even consider
salts because they are automatically incorporated into the algorithm and are
transparent to the implementor.

In my opinion, the best article describing the current state of play with
respect to password storage is the following:

[https://www.nccgroup.trust/us/about-us/newsroom-and-
events/b...](https://www.nccgroup.trust/us/about-us/newsroom-and-
events/blog/2015/march/enough-with-the-salts-updates-on-secure-password-
schemes/)

