backtop


Print

Passwords were first posted to Russian Bitcoin forum, many appear to be defunct/invalid

Russian hackers last leek began to publish the results of what corporate email providers say amounts to years worth of password collection.  Affected sites included Russia's Yandex NV (YNDX) (estimate 1.26 million accounts), Google Inc.'s (GOOG) Gmail (4.93 million), and Mail.ru (4.65 million accounts).  Of these, an estimated 90 percent of the Russian accounts (Yandex, Mail.ru) were active, while around 60 percent of the Gmail accounts were active.

The hack comes after only five years after hackers shockingly discovered they could mine Yandex login credentials via careful Google services.  This time around, it appears the massive set of login credentials is not the work of a glaring flaw, but rather due to customers losing their passwords due to responding to phishing attempts, getting their machines infected with keylogger malware; or who visited compromised webpages.

Yandex Russia

Russia's Yandex (pictured) and Mail.ru were also targets listed in the cache of login credentials.

Google offers up official confirmation of the hack, writing in Wed. blog:

One of the unfortunate realities of the Internet today is a phenomenon known in security circles as “credential dumps”—the posting of lists of usernames and passwords on the web. We’re always monitoring for these dumps so we can respond quickly to protect our users. This week, we identified several lists claiming to contain Google and other Internet providers’ credentials.
 
We found that less than 2% of the username and password combinations might have worked, and our automated anti-hijacking systems would have blocked many of those login attempts. We’ve protected the affected accounts and have required those users to reset their passwords.
 
It’s important to note that in this case and in others, the leaked usernames and passwords were not the result of a breach of Google systems. Often, these credentials are obtained through a combination of other sources. 

For instance, if you reuse the same username and password across websites, and one of those websites gets hacked, your credentials could be used to log into the others. Or attackers can use malware or phishing schemes to capture login credentials.

Based on Google's estimates, it appears that only around 10,000 of the nearly 5 million posted "Gmail" credentials worked for still active accounts.  Many were likely defunct accounts or older passwords for accounts which have since changed their password.

The hack was initially posted to the forums mostly Russian-language website Bitcoin Security (forum.bitsec.com) by a user named "tvskit".  An administrator named "polym0rph" appeared to condone this release, and helped the user redact and proctor of passwords.  Both the user and admin stated that the releases were ethical as they helped warn people that their acount might be compromised.  "tvskit" did not make clear how he/she came into possession of this data cache.
 
Gmail stolen logins
A sample of the looted Gmail logins and passwords, many of which are defunct. [Image Source: BitSec]

Looking at the responses (using Google Translate), it appears a number of users of the crpytocurrency forum found their screenname and password for Yandex or Mail.ru in the posted listings.  Based on this, it's fair to speculate that the Yandex/Mail.ru credentials appear much more current/valid that the Gmail dump.

Users can check if their Gmail account was exposed by downloading the *.7z format compressed text file.  Forum users on the site it was posted report it was clean, but we still recommend doing it in Linux in case there's some sort of hidden malware in the archive.  You can also check online using isleaked.com/en, by typing your email address.  To avoid possibly having your account added to a spam list we suggest you replace up to three letters of your Gmail address with '*', and only put the full name if a match is found with the wildcard pattern.

Sources: Google Official Security Blog, BitSec Forums [1], [2], [3]





"It looks like the iPhone 4 might be their Vista, and I'm okay with that." -- Microsoft COO Kevin Turner













botimage
Copyright 2017 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki