Thursday, December 24, 2009

RockYou Hacked: 32 Million, (yes that's Million), Passwords Stolen

As the title implies, the popular Facebook and MySpace game/widget maker RockYou was hacked, with the hack becoming public last week Tuesday, December 15th. What's worse is that RockYou stored all of their passwords in the clear, (no hashing), so 32 million plaintext passwords were stolen. I've been doing some digging into this so I can add something to the conversation, but for a great general overview I highly recommend reading TechCrunch's writeup.

First of all, if you have ever used the following social networking applications, you probably should change your password ... like right now.
  • Slideshow
  • Uploadphoto
  • Photofx
  • Glittertext
  • Funnotes
  • Countdown
  • Superhug
  • Myspace layouts
  • Stickers
  • Superwall
  • Pieces of flair
  • Speedracing
  • Likeness
  • Hugme
  • Birthday cards
Yup, that's why we're talking about 32 million user accounts, (though in all fairness, many of those user accounts are almost certainly duplicates created by the same person).

One day after the attack became public, the hacker gave an interview over at readwriteweb talking about password security in general. He, (I'm going to assume he's a guy since the nickname he gave was Tom), basically said around 30% of all websites still store user credentials in plain text. He also said the most important thing users can do is choose different passwords for different sites since they can't rely on those sites to protect them.

I'll certainly agree with that. I'll also agree that Rockyou should be held responsible for A) Not storing passwords securely, and more importantly B) Trying to cover up the hack after the fact. When Rockyou tried to downplay the impact of the hack, (by claiming it only affected some of their older programs), it was really a sleezeball move. That being said, I can't condone the Hacker, (Tom), either, since his behavior is unacceptable. It's one thing to point out a vulnerability. It's another thing to exploit it.

Probably the most interesting part of the interview was that they referred to the hacker's blog. Apparently he also goes by the handle 'igigi'. I guess that sounds better than Tom ;) As far as I can tell, he choose igigi because that's what ancient Sumerians called angels. Either that or he's really into plus sized clothing. Now is it just me, or is it weird that someone actively hacking into websites is giving interviews and keeping a blog?

The thing is, igigi probably wasn't the first person to hack into RockYou. According to Imperva, an internet security company, they originally discovered the exploit being talked about on a hacking forum about a week earlier, and several of the webmail accounts associated with those logins have since been flagged as being hijacked by spammers. Looking at igigi's blog, his first entry was December 6th 2009. I guess what I'm trying to say is there's a definite possibility that he stumbled upon an exploit that someone else had posted and decided to cash in on some fame. Either that or he isn't as white/grey hat as he claims to be. RockYou is the only English site he's claimed to hack; All of the other sites have been Slovakian or Czechian which gives you an idea of where he's from, (and/or which forums he reads). I did some additional searches and I haven't been able to find any trace of igigi before December, though my ability to do research into the other sites he's hacked has been limited because Google's Czech to English translator leaves a lot to be desired.

All this is just a run-up to the news that on Monday igigi posted the entire password list, minus the usernames and e-mail addresses. The original rapidshare links no longer work, (or I wouldn't have posted a link to his blog), but the list certainly is still out there on the net if you know where to look. Just a warning though, there are also some copies of it that contain nothing but viruses and fail. Here's a hint, if the list claims to be a self-extracting executable, don't click on it...

Dealing with such a large list has had its own challenges, (though I certainly can't complain). Even opening it with vi takes about a minute, and for searches I've resorted to catting it into grep. I've also discovered that I probably should have used some more efficient algorithms in a couple of my analysis tools.

Here are some of the basic statistics:
  • Total Plaintext Values Parsed: 32,603,387
  • Average Password Length of Parsed Passwords: 7.88
  • Average Complexity Level of Parsed Passwords: 1.94
  • Percentage of Passwords that have an uppercase character: 05.94%
  • Percentage of Passwords that have a special character: 03.42%
  • Percentage of Passwords that have a digit: 54.02%
  • Percentage of Passwords that only have lower characters: 41.68%
Overall Letter Frequency Analysis:
ae1ionrls02tm3c98dy54hu6b7kgpjvfwzAxEIOLRNSTMqC.DBYH_!UPKGJ-* @VFWZ#/X$à,¸\&+=Q?)(';%"]Ã~:[^

First Letter Frequency Analysis:
sm1cba0pljdtrk2hgfniew39v45o8y76MzSBACJLquDPTxRKGHNFIEW*VOY#Z@!Q($.UXà-_<~[/+,;="`?&%Ã:^

Last Letter Frequency Analysis:
1ae326sn5794y08roltdihgmukzc!pxwbA.fEj*SNYOvRLqDT@IHM$?KG)U_-ZC+#PXB/,WJ]%;F'~=V`^\&Q"> (:

Quick Analysis:
The first thing that stands out is that many of the passwords don't meet RockYou's password policy. RockYou requires users to create a password between 5 and 15 characters, and passwords cannot contain special characters. With this dataset though, 78,404 passwords were less than five characters long, and 258,835 passwords were longer than fifteen characters long. As already mentioned, 3.42% of the passwords also contained a special character. This seems to imply that a lot of RockYou's applications use a different password creation policy. Since many of the widgets manage Facebook/MySpace info, it's a fair bet that they require the user to enter their Facebook/MySpace password which is what we're seeing in this dataset.

Well, it's Christmas Eve, so I'm going to leave further analysis till later. As a Christmas/Hanukah/Seasonal present I would really appreciate for you guys to let me know in the comments or via e-mail what you would be interested in finding out about this list. That way I can focus on what's useful to you vs. just posting random statistics like I did above ;)

5 comments:

tfxc said...

the initial vulnerability was posted 29th November on a hacking forum called darkc0de here: http://forum.darkc0de.com/index.php?action=vthread&forum=11&topic=13082

Per Thorsheim said...

A few requests for analysis:

1. I would like to see a comparison of Twitters 370 banned passwords against the top 370 or so passwords stolen from rockyou (http://www.techcrunch.com/2009/12/27/twitter-banned-passwords/)

2. You're way down the list of first position character analysis before you get to the uppercase letters. To me that's a lack of a "standard" complexity requirement. On almost all statistics i've done, i see first case being uppercase, *if* there's a complexity requirement (see my blog for some simple stats)

3. Since there's no info on whether the passwords are old or relatively new, there's a probability of one (or more) password policies being over time, explaining the passwords not being compliant to the current rockyou policy. Oh, and rarely do i see a technical implementation of a password policy that actually matches the written policy 100%.

Regards,
Per Thorsheim
securitynirvana.blogpsot.com

Matt Weir said...

Thanks tfxc for the heads up. Whenever I go to forums like that I always get mixed feelings. On one hand reading through some of the other threads I'll be going, "Oh I hope they post that list as it would be great for my research", since I can't use any of the exploits to obtain the list myself. Aka I can't hack without permission since it's very important to me that I stay on the white-hat side of things. But then I'll realize that real people will be hurt by the publishing of those lists so I want them to be kept secret. That's actually a topic I'd love to see addressed by a panel at a computer conference: "Performing security research while keeping your soul".

Matt Weir said...

Per, thanks for the comments and the question. I just posted a write-up of the Twitter blacklist so I hope that is helpful. As to your other two points,

2. I completely agree with you that people almost always uppercase the first letter if they do bother to hit that shift key. A couple of other strategies, (such as uppercasing the last letter), occasionally show up, but the first letter is by far the most common. The reason why uppercase letters are so far down the list for the first character LFA is because uppercase letters in general were fairly uncommon. Aka only 5.94% of the passwords contained an uppercase letter.

3.I agree with you there as well, though I think a lot of what we're seeing is that many of the widgets require the user to store their facebook/mypsace/etc password with RockYou. Since all of these social network sites have different password policies, there's no unified password creation policy that governed the generation of this list.

BTW, I checked out your blog and really liked it. Keep up the good work!

Ilya said...
This comment has been removed by the author.