- June 29, 2016
- Info notes
During May-June 2016 a series of major and massive data breaches emerged exposing hundreds of millions of user e-mails and passwords (in hashed or plaintext form). The data were originally sold on the black market, but soon a lot of them became public. Interestingly, all these data breaches are dated a few years back, but they were only disclosed recently, remaining within private circles for years. Following these data breaches a wide range of attacks on well-known websites occurred as a result of users reusing their passwords across them. This Info note provides insight on the data breaches themselves, their impact on other websites and provides recommendations to respond and limit the impact of such data breaches.
In 2012, LinkedIn faced a data breach, which at that point, resulted in the exposure of 6.5 million hashed passwords solely, without usernames. Four years later 167 million account data originating from the same data breach were sold on the black market. 117 out of the 167 million account data contained both the user e-mail and the password hashed with SHA-1 without "salt" . At first the price for the whole 167 million records was BTC 5 (approximately €2000 at that time) but was later dropped to almost half the price since that data were already available via other channels.
Myspace reported that the data breach is related to account data dated before 11 June 2013. The leaked data contains 427 million passwords, out of which 360 million e-mails are included. Out of the 360 million account data, 111 million contains a username and 68 million a secondary password. The passwords are hashed with SHA-1 without "salt", which means that cracking the vast majority of passwords in a timely manner is trivial. Due to its larger volume, the dataset was originally valued at BTC 6 (approximately €2500) on the black market.
Tumblr reported that a set of Tumblr user e-mail addresses with passwords from early 2013 were exposed. The data contained 65 million e-mail addresses and hashed passwords. The passwords were hashed with SHA-1 and "salt" was also added, which makes the passwords harder to crack. For that reason the data were sold for as low as BTC 0.4255 (approximately €130 at that time).
Other data breaches
Other cases of recent data breach disclosures include the 40 million account data of Fling.com (breached in 2011) including e-mail addresses, usernames, plain text passwords, IP addresses and dates of birth. 100 million account data of VK.com (breached between 2011-2013) including first and last names, e-mail addresses, phone numbers and plaintext passwords. Finally, 51 million account data of iMesh.com (breached in 2013) including e-mail addresses, salted and MD5 hashed passwords, IP addresses and location information.
The aftermath of these data breaches became apparent in several occasions. Using the leaked data attackers attempted to access and take over user accounts in well-known websites hoping that users used the same passwords across the different web services. Password re-use is common since users do not easily memorize unique and strong passwords for each service they use and they often do not realize the implications of password re-use. The timing and range of the attacks suggest that these subsequent attacks are linked to the leak of the recent breaches, even though the evidence is only circumstantial.
- Github. In 14 June 2016 Github became aware of several unauthorized attempts to access a large number of Github accounts. It appears that the attackers used lists of usernames and cracked passwords from previously compromised online services to access GitHub accounts. The attacker(s) managed to successfully log into several Github accounts urging Github to reset the passwords of the affected accounts.
- GoToMyPC. Citrix confirmed that the recent attack on GoToMyPC, a known remote access service, was due to password re-use resulting from previously leaked credentials from other websites. Citrix proceeded with resetting the password of all GoToMyPC users.
- TeamViewer. TeamViewer is another well-known remote access service. A lot of TeamViewer users witnessed their PCs taken over by attackers since their accounts were hijacked and in some cases with financial consequences for the users too. TeamViewer claimed that there was no compromise of its servers and the root cause of the attacks was password re-use. Responding to the issue TeamViewer introduced two security features to protect its users (Trusted Devices and enforced TeamViewer account password reset in cases of abnormal account behaviour).
- Twitter. Twitter responded to the recent claims that 32 million Twitter account data (usernames and passwords in plaintext) were exposed by attributing the incident to the numerous breaches of other websites. More specifically Twitter stated that "Twitter @names and passwords may have been amassed from combining information from other recent breaches, malware on victim machines that are stealing passwords for all sites, or a combination of both" supporting that their systems were not compromised and that they use bcrypt  to securely store passwords. The affected accounts were locked and forced to reset their password.
- Carbonite. Online backup firm Carbonite reported unauthorized attempts to access a series of Carbonite accounts suggesting that these attacks were the result of attackers using e-mail addresses and passwords acquired from previously compromised websites. Carbonite indicated that personal information may have been exposed from certain accounts and forced a password reset to all its customers.
For website owners
Website owners must have proper security and monitoring mechanisms in place to detect security breaches quickly. The average data breach discovery time is many months and in some cases even years. This gives an excellent opportunity to attackers to cause enough damage which cannot be easily mediated by a late discovery from the affected organisation's/company's side. Once a breach is discovered all attention should be focused on finding and fixing its root cause to avoid repeating data breaches and effectively communicate the incident to the affected parties, e.g. individuals, and to the competent Data Protection Authorities.
When a data breach occurs, the data are usually sold on the black market until someone exposes them to the wider public. There is obviously a legality issue around data dissemination and who gets to access the data, thus organizations and companies should be very cautious when processing leaked data.
After the disclosure of a data breach, it would be wise for website owners to remain alerted and monitor their systems for unauthorized attempts to access their systems by third parties. Since password re-use proves to be a serious issue, it is highly probable that such attacks will take place.
Data breaches are often followed by useful analytics provided by third parties, which have access to the leaked data. These figures usually point out information such as the most used passwords amongst the different user accounts. Website owners should use this information to form a more robust password security policy by excluding commonly used passwords from being accepted when users register to their services but also enforce the same password policy to already registered users. Generally, for enhancing security, any change to the password security policy should be applied to existing users as well.
Website owners must store passwords in a secure way using key derivation functions such as bcrypt, PBKDF2 or scrypt and not hash functions such as MD5 or SHA-1 that are very fast to compute and easy to attack (i.e. brute force attack, rainbow table attacks etc.). If such hash functions are still used then unique salting for each password should be applied.
Finally website owners are strongly encouraged to support two-factor authentication mechanisms and monitor authentication attempts for unusual activity. In cases of suspicious activities, e.g. simultaneous or recent logins from different countries, they should require an additional verification step to authenticate the user.
The recommendations of a previous ENISA info note are still valid. Users are advised to:
- Not re-use passwords. Users must not use the same passwords across different websites and services.
- Use a password manager. There is a wide variety of online and offline password managers to choose. Users should evaluate the risks of using an online password manager, e.g. an online service has a higher risk of being compromised, or an offline manager, e.g. make sure they keep a backup of their password database to avoid data loss, before making their decision. Users should make sure they create a strong master password to secure all their stored passwords. Someone might argue that password managers are a single point of failure and this might be true because compromising the master password gives attackers access to all user's passwords. But, there is a balancing act here and since password re-use is a serious issue, password managers are most probably the most reliable way to ensure that a user uses a strong enough and unique password in every service they use.
- Use two-factor authentication. It is highly recommended to use two-factor authentication wherever possible, to add one more layer of security in user accounts.
- Use HIBP, an online data breach notification tool. "Have I Been Pwned " (HIBP) is an initiative of the known security researcher Troy Hunt who has created an online database containing the usernames and e-mails leaked from big data breaches. This free online service allows users to enter their username or e-mail address, it searches through the database and notifies them whether they are victims of data breaches or not. In that way users become aware that their accounts have been affected by a breach and should then change their passwords in the respective services, as well as to the rest of services they used the same password. Users should beware of websites offering similar services and do not trust them until they are sure of the ethical intentions of their owners.
Notification of personal data breaches
It should be noted that under the General Data Protection Regulation (which will be applicable in 2018), data controllers should notify personal data breaches to competent authorities (Data Protection Authorities) and affected individuals. In order to facilitate notification to DPAs, ENISA has developed, in co-operation with the Federal Commissioner for Data Protection and Freedom of Information of Germany (German DPA), a personal data breach notification tool, which can be freely used by any interested DPA. Depending on the input of the notification, the tool also provides to the DPA an assessment of the severity of the data breach.
Data breaches can cause a lot of damage even if disclosed many years after the original incident. This shows that both password re-use and the fact that users do not regularly change passwords are serious issues. Additionally, the fact that these data breaches remained away from public sight for so long raises questions on how many more data breaches have occurred, remaining unnoticed by the affected party and the leaked data remaining dormant or within private circles.
 Salting refers to concatenating random bytes at the end of passwords before hashing them to make passwords harder to crack
 BTC refers to the Bitcoin cryptocurrency
 Bcrypt is a key derivation function designed by Niels Provos and David Mazieres. It uses a modified version of Bruce Schneier's Blowfish instead of a hash function. Bcrypt is an adaptive function whose iteration count can be increased over time to make it more resistant against brute-force attacks
 Pwned is a slang term and stands for "being hacked" or compromised
About "Info Notes" from ENISA
With the "Info Notes" series ENISA aims at giving the interested reader some background and recommendations about NIS related topics. The background and recommendations are derived from past experiences and common sense, and should be taken as starting points for discussions on possible course of action by relevant stakeholders. Feel free to get in touch with ENISA to discuss or inquire more information on the "Info Notes" series (firstname.lastname@example.org)