98.1 million CLEARTEXT passwords pasted as Rambler.ru rumbled An eye-watering 98.1 million accounts, and their cleartext passwords, have been stolen from Russia's biggest web portals Rambler.ru. The breach occurred way back on 17 February 2012 according to breach repository site LeakedSource and appears to have gone unreported in intervening years. It represents a significant win for …
Russia has some excellent engineers which I strongly doubt don't know about strong encryption/salting/hashes etc..
Who knows the real reason, KGB, Kremlin, Mafia, NSA, all sorts of pressure might have been applied in order that the passwords were stored in cleartext...
Russia is not exactly known for being a "user friendly" state...
And how do we know what our own governments and three letter agencies also have access to.. How many of you truly believe that Apple, Google, Microsoft, IBM , Oracle don't also have the same arrangements. Each of them have "public" policies but I can only presume that they all have hidden policies which probably result in the same scenario. (They just havent been publicly exposed, yet).
Mines the ones with "conspiracy" on a small lapel badge..
"Russia is not exactly known for being a "user friendly" state..."
Russia may have all kinds of issues with its politics, police, spies, organised crime (but I repeat myself) and so on, but people are people and business is business the world over. A large social media company being incompetent at handling user data is not something that requires any kind of conspiracy, regardless of which country it may be based in. By far the most likely possibility is simply people being incompetent and companies cutting corners, just as it is almost every time such a breach hits the news.
I recently created an account on the Aix en Provence city council website to register my kids for after-school activities and ... was sent my password in clear text in the confirmation email. The same happened when I happened to forget the password I used on apec.fr ... they sent it to me ... we really, really, REALLY need to take the Window Cleaner and Surface Experts behind the shed.
This post has been deleted by its author
The breach occurred way back on 17 February 2012
This breach occurred over 4 years ago, back when we were a little less cautious (still no excuse) but I wonder if the passwords are still in Clear text today? If they are then either it is a requirement of the FSB or other govenrment agency or complete failure on the part of the sysadmins. Either way not a good outcome for rambler.ru users.
I don't think our understanding about password storage has advanced hugely since 2012. Back then, anyone with an iota of common sense could imagine consequences of a database containing clear text passwords being stolen.
What has changed is our understanding of the threat model; that it includes the people we assumed were the good guys. Rather than working to protect our interests, they were busy tapping data centres, not reporting vulnerabilities in the firewalls and VPNs and operating systems and the like in the absurd hope that building bigger haystacks will lead to better needle discovery.
Just out of curiosity, where is the value in reporting this 4 years later? In IT, we pretty much count in dog years with respect to vulnerabilities (OK, with the exception of Microsoft where nothing significantly changes) so I would image they would have addressed this by now.
Or is this more to warn password re-users?
Salting would require the salt too. Otherwise you have no chance of what you're hashing to actually finding a match in a dictionary attack.
Hashing without a salt is no security at all, and as stupid as plain-text passwords. We can spot the MD5 or SHA1 of common passwords in fractions of a second, and MD5 is basically dead in security terms nowadays because it's so easy to find collisions even for unknown passwords.
Encrypted would mean that their encryption was singularly useless as the system compromised had access to unencrypted versions.
Unless it was literally all three, they're still being stupid with your passwords.
But if they are able to find 98.1 million passwords, and if they aren't ALL of the "password123" variety, then it suggests that they were just held in an unencrypted, unhashed database.
As others point out, it's not unusual at all. People do it all the time. Anything that can email your password back to you is worthless and dangerous. Many forums just store stuff in a MySQL table and expect MySQL to encrypt and protect it for you (hint: It doesn't, and anything running with the same access has access to the same data).
...should be forbidden from going anywhere near anything more high-tech than an electric tin opener. The sheer idiocy of plain text password storage is staggering.
Just remember folks, every time you sign up for a new website/service/etc, you're relying that said service/website/etc was developed by somebody who was less of a tool than this guy.
Sleep tight!
>Just remember folks, every time you sign up for a new website/service/etc, you're relying that said service/website/etc was developed by somebody who was less of a tool than this guy.
>Sleep tight!
Sorry to repeat myself, but it is the natural born surface specialists, brick-layers, farmers etc that now become IT admins or devs that are the problem, also, our consistent reliance on outdated, security sieve-like software from Redmond that we are force-fed on a daily basis where with three clicks of a mouse I have an insecure web, SMTP, FTP server ...where nobody has ever heard of configuration files, encryption ... where anybody who has ever used Word or Excel can be your next sys-admin.
When configuration is so easy, you can get the cheapo to do it ... the worst is, they then want to cut costs even further and get a Linux server instead ... I have a number of clients where the "useless" Windows Admin is now tasked to administrate Linux boxen ... no training ... the guy knows what a mouse is, he can take screenshots (mind you with zapIt or whatever it's called coz he never noticed the Prt Sc key on his keyboard, and if he did never tried Alt+Prt Sc), puts them into Word and now knows how to configure a web server. The worst is, that NUMPTY takes a screenshot, pastes it into word, without any text or whatever, and sends it to me like that ..... NEVER HEARD OF MSPAINT.EXE (or whatever imaging App, mspaint.exe is on every PlayD'Oh OS).
If there are guyz who do that on here ... click the downvote button, I wanna know how many you are ... the shed is not that big, please line up over there!
Notice the icon ?
Three downvotes already! You are probably gonna ask, what is is wrong with embedding an image in a Word file, right ? I was sure of that !!!!
http://lmgtfy.com/?q=lossless+image+formats&l=1
Ouch, I know, and am sorry ... BTW, what are you doling in IT again, may I ask ... I do not want to read condescending, but you ARE what is commonly known as an iditiot!
If you downvote again, you must be Adam from Accenture, sorry buddy, I did not mean to hurt your feelings, but, you know, I was hired to upgrade the application running on GNU/Linux, NOT help you configure IIS.
A few years ago I was hired to do a security audit for a small community's cooperative day-care facility. They had a set of IP-cameras set up around the facility so parents can watch their children playing at the facility. There was also a live-chat system attached so parents could all coo in real-time when a child did something they thought was adorable.
The database stored pretty much everything encrypted on the database using some pretty decent encryption (Although it was using a symmetrical key). As I started digging through the login page, I found that the password checking page would reverse the encryption on the stored password to perform the string-checking. It did this in a fundamentally broken way. The first page you encountered was "EnterUserPass.php" which contained a username field, a password field and a submit button, which when pressed, would redirect you to "GetPassword.php?<Base64-encoded_username>&<Base64-Encoded_password_entered>". The GetPassword page would run a small bit of code to retrieve the encrypted password from the database and decrypt it, the redirect the user to "CheckPassword.php?<Base64_entered_username>&<Base64_entered_password>&<Base64_Unencrypted_password_from_db>"
The response I got from that mess was "Who would try and break into the website, its a small day care for a community, not a bank!", "Passwords encarded (sic) like that are secure, its not like any of our users are lute-hackers(sic) or anything, they're just suburban soccer-moms", and then "Even if they could see the password, it doesn't matter because they'd only see their own". I kept getting really naive answers like that whenever I'd point out how stupid it was. Especially in light of the fact that you could enter any username you want and see the password; and that login usernames were also the display names in the chat system and forums.
I spoke with the developer for their website since I figured I'd have more luck than the "IT Person" that was running things (They got the job because, of the parents, they knew how to install apps on an iPad, much more than anyone else could say about themselves). The developer was the kid of one of the parents who said they developed the website in pieces like that so that it'd be easier to maintain; the Base64 was used because "It's being protected by SSL, so don't worry brah". When asked about why he used reversible encryption on the passwords rather than a hash and a salt, he responded with "Hashes can have collisions, this way a hacker couldn't guess a password that collides and get in. What kind of idiot are you that you didn't know that?".
The server was an old home computer with a pre-made LAMP distro slapped on top with everything still default from the install disc (which was sitting right on top of it), except the stuff a tutorial told him to change. It was odd that receipt from Best Buy for it showed that it was a $6000 AlienWhore machine with Core-2 Quad in it and 16 GB of RAM, but while the server was in the stupid looking case, its guts were from a late-P3 Gateway branded machine. It must have been coincidence that the dev-kiddie had a Gateway machine on his desk with a P3 label but seemed to perform far better than any P3 I've ever seen...
AS for the Website itself, it was assembled from examples in a book on PHP, some pre-made forum software, a couple tutorials, and chunks of code ripped from Stack Overflow.
I was hired to look at the day-care's systems since a former employer of mine was moving into the area and wanted me to check the place he was planning to send his kid to (He got permission from them for my audit). He paid me for my report and I went along my merry way, glad to be away from such weapons-grade stupidity. And certainly glad I didn't live in that area. It was one of those planned-communities out in the suburbs built for upper-middle-class Yuppies who married some air-head trophy spouse and want to raise their kids "In a good neighborhood away from the city". The central part of the area only had a few businesses: A Wine store, an Italian-style Bistro / Wine bar, a Whole Foods, a designer goods shop, and a full-service gas station / luxury vehicle dealer.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
