As the title implies, the popular Facebook and MySpace game/widget maker RockYou was hacked, with the hack becoming public last week Tuesday, December 15th. What's worse is that RockYou stored all of their passwords in the clear, (no hashing), so 32 million plaintext passwords were stolen. I've been doing some digging into this so I can add something to the conversation, but for a great general overview I highly recommend reading TechCrunch's writeup.
First of all, if you have ever used the following social networking applications, you probably should change your password ... like right now.
- Myspace layouts
- Pieces of flair
- Birthday cards
Yup, that's why we're talking about 32 million user accounts, (though in all fairness, many of those user accounts are almost certainly duplicates created by the same person).
One day after the attack became public, the hacker gave an interview over at readwriteweb talking about password security in general. He, (I'm going to assume he's a guy since the nickname he gave was Tom), basically said around 30% of all websites still store user credentials in plain text. He also said the most important thing users can do is choose different passwords for different sites since they can't rely on those sites to protect them.
I'll certainly agree with that. I'll also agree that Rockyou should be held responsible for A) Not storing passwords securely, and more importantly B) Trying to cover up the hack after the fact. When Rockyou tried to downplay the impact of the hack, (by claiming it only affected some of their older programs), it was really a sleezeball move. That being said, I can't condone the Hacker, (Tom), either, since his behavior is unacceptable. It's one thing to point out a vulnerability. It's another thing to exploit it.
Probably the most interesting part of the interview was that they referred to the hacker's blog. Apparently he also goes by the handle 'igigi'. I guess that sounds better than Tom ;) As far as I can tell, he choose igigi because that's what ancient Sumerians called angels. Either that or he's really into plus sized clothing. Now is it just me, or is it weird that someone actively hacking into websites is giving interviews and keeping a blog?
The thing is, igigi probably wasn't the first person to hack into RockYou. According to Imperva, an internet security company, they originally discovered the exploit being talked about on a hacking forum about a week earlier, and several of the webmail accounts associated with those logins have since been flagged as being hijacked by spammers. Looking at igigi's blog, his first entry was December 6th 2009. I guess what I'm trying to say is there's a definite possibility that he stumbled upon an exploit that someone else had posted and decided to cash in on some fame. Either that or he isn't as white/grey hat as he claims to be. RockYou is the only English site he's claimed to hack; All of the other sites have been Slovakian or Czechian which gives you an idea of where he's from, (and/or which forums he reads). I did some additional searches and I haven't been able to find any trace of igigi before December, though my ability to do research into the other sites he's hacked has been limited because Google's Czech to English translator leaves a lot to be desired.
All this is just a run-up to the news that on Monday igigi posted the entire password list, minus the usernames and e-mail addresses. The original rapidshare links no longer work, (or I wouldn't have posted a link to his blog), but the list certainly is still out there on the net if you know where to look. Just a warning though, there are also some copies of it that contain nothing but viruses and fail. Here's a hint, if the list claims to be a self-extracting executable, don't click on it...
Dealing with such a large list has had its own challenges, (though I certainly can't complain). Even opening it with vi takes about a minute, and for searches I've resorted to catting it into grep. I've also discovered that I probably should have used some more efficient algorithms in a couple of my analysis tools.
Here are some of the basic statistics:
- Total Plaintext Values Parsed: 32,603,387
- Average Password Length of Parsed Passwords: 7.88
- Average Complexity Level of Parsed Passwords: 1.94
- Percentage of Passwords that have an uppercase character: 05.94%
- Percentage of Passwords that have a special character: 03.42%
- Percentage of Passwords that have a digit: 54.02%
- Percentage of Passwords that only have lower characters: 41.68%
Overall Letter Frequency Analysis:
First Letter Frequency Analysis:
Last Letter Frequency Analysis:
The first thing that stands out is that many of the passwords don't meet RockYou's password policy. RockYou requires users to create a password between 5 and 15 characters, and passwords cannot contain special characters. With this dataset though, 78,404 passwords were less than five characters long, and 258,835 passwords were longer than fifteen characters long. As already mentioned, 3.42% of the passwords also contained a special character. This seems to imply that a lot of RockYou's applications use a different password creation policy. Since many of the widgets manage Facebook/MySpace info, it's a fair bet that they require the user to enter their Facebook/MySpace password which is what we're seeing in this dataset.
Well, it's Christmas Eve, so I'm going to leave further analysis till later. As a Christmas/Hanukah/Seasonal present I would really appreciate for you guys to let me know in the comments or via e-mail what you would be interested in finding out about this list. That way I can focus on what's useful to you vs. just posting random statistics like I did above ;)