Hackers Behind Biggest-Ever Password Theft Begin Attacks

An anonymous reader writes Back in August, groups of Russian hackers assembled the biggest list of compromised login credentials ever seen: 1.2 billion accounts. Now, domain registrar Namecheap reports the hackers have begun using the list to try and access accounts. "Overnight, our intrusion detection systems alerted us to a much higher than normal load against our login systems. ... The group behind this is using the stored usernames and passwords to simulate a web browser login through fake browser software. This software simulates the actual login process a user would use if they are using Firefox/Safari/Chrome to access their Namecheap account. The hackers are going through their username/password list and trying each and every one to try and get into Namecheap user accounts." They report that most login attempts are failing, but some are succeeding. Now is a good time to check that none of your important accounts share passwords.

Welp

[Anonymous Coward]

Time to TFA bitches!

Re:

[tysonedwards]

Now this seems like a much more plausible source of the fappening pictures that are making their way to the interwebs than repeated, undetected brute force attempts going on for months strait... Just a thought.

Re:

[onproton]

My suggestion to Namecheap (and other domain registrars or hosting companies) would be to lock them all down if possible, force all users to change the passwords from e-mail or other contact method before they can login again. We don't know what they have and we don't know what their plans are. This is a gaping security hole in the internet.

Re:Change your password and enable 2 factor auth..

[Charliemopps]

My suggestion to Namecheap (and other domain registrars or hosting companies) would be to lock them all down if possible, force all users to change the passwords from e-mail or other contact method before they can login again. We don't know what they have and we don't know what their plans are. This is a gaping security hole in the internet.

Unless the users had the same password for their email account which is likely. This is the problem with the username/password system, people want single signon, but companies don't want to cooperate unless it involves giving up any shred of anonymity i.e. Facebook/Google longon.

Re:

[Anonymous Coward]

Yeah it's bad, and I protect my shit to the max and I still worry. The problem even with all the safeguards it only takes one gullible tech support person to completely destroy it. A 90 trillion character password is worthless if you can get it reset over the phone with half-assed information.

I talked AOL into resetting my password with only my name spelled incorrectly back in the day. "boredom at its finest" It made me feel so warm and fuzzy ins.. I mean terrified that I changed my service the same day.

Re:Too late

[plover]

With a billion credentials, they certainly haven't had the chance to exploit them all yet. It's too late for 0.01% of the victims, but not too late for the rest of us.

Re: Too late

[O('_')O_Bush]

Really? You are going with the "blaming the victim" route?

How about this one. There are probably over 100 websites that have store my credit card information in their own proprietary system because every company seems to have "not developed here" syndrome, and making each uname/password combo is very difficult without some easy to guess alto, or even remembering where accounts might have been created already. And on top of that, nobody has any clue who was affected or how they were affected because the only

Re: Too late

[O('_')O_Bush]

Damn phone makes posting nearly impossible.

Uname/password combo unique*

Algo* not alto

Re:

[weszz]

Get a password management program.

I've been using one for just over a year, there is a master password that isn't stored anywhere, and everything i log into has a different password.

If I need to log in at home i fire up the program and it will autofill passwords on the right sites, if i'm at work i use my phone or the website to get the passwords, and it reminds me every x amount of days to reset the passwords.

not 100% since nothing is, but much better than the old methods.

Re:

[johnnnyboy]

Hi weszz,
Any password programs that you recommend I can start using or look at?
Ideally something that will work on my android tablet but even then I worry about the security of my tablet itself.

Re:

[WuphonsReach]

Encrypt the tablet / phone - use a 6-9 digit PIN (which is a lot better then just a 4-digit PIN). Have the device wipe after 10 bad attempts (the default on Android).

Most thieves, when presented with that obstacle - will just reformat the device for sale rather then try and steal information off of it.

As for apps, keypass / lastpass are frequently mentioned. My personal preference is a strong master password in Firefox, and just let it remember the 100s of secondary website account passwords (i.e. not

Re:

[coop247]

I use 1Password and really like it. In addition to the site logins I store a bunch of server username/PW in encrypted notes. You can also store files (like my SSL certs) encrypted. I cannot talk about how it works on Android, I dont use it on mobile. I know you can, I just dont.

Re:

[weszz]

I've been using Dashlane, it's been really good for me, there is a cost and a free trial. If you want the 6 month trial let me know and i'll post a link.

The benefit that gives is password syncing, so it's stored by them as well as your phone/tablet and computer, your master password decrypts them so they can be used. Dashlane also alerts me to any website i have a password for that reports a hack so i know right away to change the password.

This won't do anything for device encryption, just passwords.

Re:

[johnnnyboy]

Dashlane looks exactly what I need, the cost is pretty small compared to its features, let me try the free trial a go or is 6 month the default trial period?

Re:

[weszz]

Here's a link to the longer trial
https://www.dashlane.com/en/cs... [dashlane.com]

Re:

[weszz]

I THINK the normal trial is a month, so this will give you more time to see if it works for you. Otherwise local only is free, the syncing stuff is what the premium stuff is for.

Re:

[weszz]

May be off in my understanding of dashlane, but I don't think it decrypts it until you have a request for it. With that something may be able to figure out how to start requesting them, but I have more faith in that process handing the password off to their agent for a browser than what I know of ones that use a file you put on dropbox to keep safe... yes you can encrypt the whole database, but that to me makes it more susceptible...

I also wouldn't personally trust one from symantec, mcafee or one of those

Re:

[jeffmeden]

Really? You are going with the "blaming the victim" route?

How about this one. There are probably over 100 websites that have store my credit card information in their own proprietary system because every company seems to have "not developed here" syndrome, and making each uname/password combo is very difficult without some easy to guess alto, or even remembering where accounts might have been created already. And on top of that, nobody has any clue who was affected or how they were affected because the only group claiming to have any idea what happened has refused to divulge that information, giving the hackers free reign to continue to exploit vulnerabilities no matter how users respond.

So any attempt at blaming users seems awfully idiotic in the face of everything else.

How many companies actually mandate saving a credit card within the account though? Almost all of them that I use (although not most of them by default) allow payment via a nonsaved credit card, so an attacker can't do anything nefarious after gaining access to the account. It does require more effort though. But yes, to your point it is silly to blame the user when clearly the actual mistake was made by the site that lost the credentials through bad security management. I will however raise you one mor

Re:Notified and ignored?

[Enry]

From the namecheap link:

I must reiterate this is not a security breach at Namecheap, nor a hack against us. The hackers are using usernames and passwords being used have been obtained from other sources. These have not been obtained from Namecheap. But these usernames and passwords that the hackers now have are being used to try and login to Namecheap accounts.

Re:

[QuietLagoon]

... but that wasn't the original posters point....

Au contraire, that was the OP's point. The OP threw an unsubstantiated accusation at namecheap.com, "Did Namecheep notify it's users via email that their system was compromised"

.
The OP stated, incorrectly, that namecheap's system was compromised.

Re:

[mlts]

Ideally, all providers should have some 2FA mechanism. name.com has two options, true 2FA with TKIP [1], and an authorized IP list where if you are not using an IP the site knows about, it will E-mail you with a link to log on. Of course, the IP list isn't extremely secure as if the E-mail account is compromised, it can be added... but it would stop entry for someone who managed to guess a password.

[1]: One can use many apps for this: Google's Authenticator, Amazon's AWS, or decent number of others.

Re:

[WuphonsReach]

These days the password on your email account is more important then your bank account password...

Because if they can gain access to your email, they can do password resets to gain access to dozens / hundreds of your accounts.

Some of the web email providers have 2FA (two-factor authentication) - those are probably better choices if you don't run your own email server.

Re:

[mlts]

One thing I wish Exchange [1] had was the ability (and would be turned off by default like POP and IMAP support) to have application passwords, as well as the ability to support 2FA if someone is logging in via the Internet.

It is ironic that all of my "free" E-mail accounts have 2FA on them, while my paid providers don't have this functionality.

[1]: Probably AD as well, for storing the random seed key for the secondary authenticator, as well as when to ask for the authenticator versus just the password onl

Re:Google is your friend

[Technician]

http://www.thedomains.com/2014... [thedomains.com]

The good news is that Namecheap found the attack early and took measures to defeat the attempt to log into NameCheap accounts, the bad news is this is not just a security issue for Namecheap but seems to be along the lines of the groups of Russian Hackers which gained access to hundreds of thousands of email accounts and millions of user Id’s and passwords last month so its an issue for all Internet Users

Re:

[ayesnymous]

Did Namecheep notify it's users via email that their system was compromised and they need to change their password? If so, and they ignored it, oh well, it's your own damn fault. If Namecheep didn't notify it's users via email, then Namecheep is at fault and should be accountable for any damages, monetary or otherwise.

I have a few domains at Namecheap and I have never received an email about this.

Re:Notified and ignored?

[Charliemopps]

If so, and they ignored it, oh well, it's your own damn fault.

I hear this argument a lot. But the fact of the matter is, if you're neighbor is stupid enough to let their kids play with matches... yes, that's their fault, but that doesn't mean your house isn't going to burn down right along with theirs. A breach of this scale could have repercussions for the internet as a whole. I run into this attitude at work all the time... lets say we're building a website and we put a button on the screen over to the right, but if they have the window too small they can't see that button. Someone invariably says something to the effect of "Well, you'd have to be an idiot to have your window shrunk down to that size! It's their own fault for being stupid!" at which point I pipe up and say "We want stupid peoples money to don't we?"

You can't just ignore stupid people on the net. That's about 99.99% of people, and they're paying for the rest of us to actually use it properly.

Re:

[Anonymous Coward]

FYI, "you're" means "you are". I think you meant "your neighbour".

Re:

[jafiwam]

Someone invariably says something to the effect of "Well, you'd have to be an idiot to have your window shrunk down to that size! It's their own fault for being stupid!"

<rant> I get plenty of that here too, but It's not the user who is being stupid, it's the moron who tries to cover his design flaws with such a remark. Web content should adjust itself to match the user's display and window, not the other way around.

I'm so fed up with all those websites that show their content as a 10 cm (or 4 inch if you prefer) vertical band in the middle of the window, that my browser window is set to accomodate not much more than that by default. Wider sites should reflow to fit that. If they don't, they're even more wrongheaded than those that insist on turning your screen estate into 80% empty space if you dare to run your browser full screen. </rant>

Don't be such a short-sighted idiot.

The tools to do that are only a year or two old. It takes time to cycle through old tech and use new tech into a web site. There are ALWAYS some new thing that newer browsers will do that you can't use because it's brand new, and requires a rebuild of the site. Like, every week there is something new. For many years, people were waiting for IE8 to die out with XP.

Rebuilding a site is expensive, especially if it's a commercial site and the company isn't big enough

Re:

[operagost]

Are you being sarcastic? The tool to do that is 18 years old, and it's called "cascading style sheets".

Re:

[CaptainDork]

Yes. Don't kill the pigs.

Re:

[some old guy]

But bacon!

Re:

[binarylarry]

Cops like donuts, not russian mobster hackers.

Two-Factor Authentication

[muphin]

Although annoying i'm glad i have enabled 2-factor on Namecheap, plus my passwords are different from my email...

Re:Two-Factor Authentication

[Technician]

If you have a Gmail account, look for the Last Account Activity at the bottom right. Use the Details link to see your recent history. Set your preferences to alert you to unusual account activity. More accounts should notify you of unusual logins and login attempts.

Re:

[olsmeister]

Google also has two step verification, where a code will be sent to your phone via SMS that you need to enter in order to log in to your Gmail account. A little more hassle, a lot more security.

Re:

[Mashiki]

Interestingly enough, Google will also request 2-step verification if you have a mobile number up and you're logging in from another part of the world. A few months back someone tried to log into this gmail account; it was blocked automatically. They then tried to reset the password and I got a sms challenge on my cell. It's also smart enough to know that if you've been one place before, it's likely you as well. I regularly head to the far northern part of Canada, very few ISP's and broadband. The fir

Larger Implications?

[onproton]

Reports at the time were that they stole billions of passwords, so why only target the domain registrar? This could be a sign of worse things to come, how many accounts have they accessed without alerting an IDS, and what are they doing once they gain entry. By starting with the domain registrars, they could gain much more information than even their previous massive trove of user data. This is highly troubling.

Why? Simple bullshit is why.

[s.petry]

The first report was bullshit by some nobody to make money, nothing more and nothing less. This is more of the same bullshit to make bogeymen, and Russia has been a good target lately. I have worked in IT security for nearly 3 decades, so yes I do have some knowledge.

The 1.2 billion "credentials" was nothing to worry about (see disclaimer below), and still isn't. Hackers move massive lists of email addresses all the time, and try to run brute force attacks all the time. We block hundreds of thousands of these attacks every day. The majority are [email_addr@domain] with a password of 'password1'. Most of the time these are easy to see, as neither the user or domain exist on the targeted servers. Even the legit addresses are easy to detect, because hackers will use the top 25 worst passwords (just like you can find in articles every year, no I'm not kidding). Rarely do I ever see anything complex, like .00001% of the time rare, where there is actually a worm running on the back end (think John the Ripper).

If I was a conman and wanted to make fast cash, I could start dumping all of these email addresses to a DB, and say "Oh Noez! This email account is haxxored! When in reality, there is no such compromise. To fluff numbers, I hash 'password1' in SHA, MD5, CRYPT, and maybe even use plain text. 300 million accounts has now given me a claim of 1.2 billion 'credentials', and you can hopefully see that the claim is complete shit! I can gather that 300 million addresses in a week without breaking a sweat.

Disclaimer. You should be changing passwords for anything you care about frequently. 8 character passwords every 90 days, 14-16 character every 6 months. If you are using a strong password and are up for a change, go do so, no big deal. Since I write this shit for policies regularly, a "strong" password consists of the following.
1. No dictionary words, proper names or common acronyms in forward or reverse.
2. No QWERTY keys, including qazwsx, 54321, etc...
3. Contains at least 1 special character, 1 number, 1 upper and 1 lower case character.
4. Is not 'p@SSw0rd' or some other l337 speak that would be in a cracklib dictionary, and there is plenty there.

There are obviously restrictions in some places, so if you can't use certain characters make a longer password. If you can't make a longer password change the password more frequently. The majority of 'hackers' are script kiddies, not hackers. If you make things hard, they find a different target. There are numerous people out there that use 'password1' for their password, don't be one of them.

Re:

[simplypeachy]

correcthorsebatterystaple

Re:

[jeffmeden]

correcthorsebatterystaple

22f0ebce1cbb13f9b9ea8ad40442c1852932156c

thanks sha1sum

Re:

[simplypeachy]

Assuming an attacker has no knowledge of the password make-up, according to your policy the password nkeL4(b3 sits in a keyspace of around 6.1 * 10^15 combinations.

Under equal conditions the password refineddisplayparcelsuited sits in a keyspace of around 6.2 * 10^36 combinations. When I get back from my appointment this morning, I will still remember refinddisplayparcelsuited and won't have to write it on a sticky note, or save it on to the Dropbox App on my phone, which has a crappy password I use everywh

Re:

[simplypeachy]

Your account has been locked out due to too many failed login attempts. Please contact your slashministrator.

Re:

[WuphonsReach]

Four words, strung together, can be a key space as small as 3000^4 (roughly 46 bits of entropy), especially if they are chosen from the top 3000 words in the dictionary. That's nowhere near 6.2 * 10^36.

Misspellings can help a lot and make it a lot stronger (adding maybe 3-4 bits per word). Adding spaces or punctuation between them adds maybe 1 bit per word. Random capitalization of something other then the first letter adds 2 bits per word.

Basically, if you're using English language phrases / words w

Re:

[operagost]

"refineddisplayparcelsuited" is not a common phrase, and this isn't Master Mind where the attacker gets hints when he correctly selects part of the password.

I love how we spend so much time picking passwords that are hard for people to guess-- or remember-- when computer programs can only be written in a practical matter to try the most common dictionary words or "hunter2"-type passwords. Past that, it's all brute force whether you used "j$b01[BaP*@" or "refineddisplayparcelsuited" because the program has

Re:

[jeffmeden]

"refineddisplayparcelsuited" is not a common phrase, and this isn't Master Mind where the attacker gets hints when he correctly selects part of the password.

I love how we spend so much time picking passwords that are hard for people to guess-- or remember-- when computer programs can only be written in a practical matter to try the most common dictionary words or "hunter2"-type passwords. Past that, it's all brute force whether you used "j$b01[BaP*@" or "refineddisplayparcelsuited" because the program has no idea how much of the character set your password used until it's been cracked.

Except guessing at strings of words is trivial if they are in the dictionary.

refined display parcel suited are 4 common words. I could write a tool to attack that very quickly, starting with the most common words arranged in 2,3,4 sets.

Re:

[jeffmeden]

I meant log2(5000^4), of course.

Well, not to waste this comment, gonna plug for Diceware [std.com] as a nice freely available ~7k word dictionary organised for passphrase generation. Oh yeah, and it doesn't contain "refined", still.

The Diceware method is a good process it makes me uncomfortable to use a nice preformatted set of words to make a passphrase out of. Attackers could build a rainbow table pretty easily (and we know not enough people salt their database hashes) with a few PB of disk space. Why not make new Diceware lists from less common words, and change it every so often? It would require the same process but offer a lot more entropy.

Also w.r.t. your earlier claims about the top 5000 words, check that list again (you no

Re:

[s.petry]

For posterity, it's not just the off line attack that's become a problem. There are numerous attacks that occur over huge IP ranges. If you locked the account at a few bad attempts most users would be perpetually locked out. Hackers are now hitting an account from thousands of IP addresses to brute force. They rate throttle to reduce detection, most connecting once every 30-60 minutes. The really stealthy attacks may have a single IP connecting once per day for 1 account, the next day the same account

Stat is very wrong..

[s.petry]

I'm not sure you ever tried to write a brute force tool, let alone run one. I'm not saying your method is horrible, but it is nowhere near as secure as you think. The actual strength is (dictionary_words)^4. The statistic you gave is not even accurate as a 26 character randomized password, which would be 26^26 (given that you are only using lower case letters). Your strength statistic is absolutely wrong.

There are many ways to make strong passwords. If you want to use words like that, mixing in what I

Re:

[Jawnn]

I would agree that brute-force attacks are hardly news. The door-rattlers have always been there, but the news that over a billion user accounts, that is working credentials that grant access to something, are in the hands of organized criminals, is something else again. The wave of snowshoe spam we've seen over the last few weeks lines up nicely with that news, and our analysis is that compromised user accounts on a widespread assortment of services/hosts appears to be a fundamental part of the campaign. T

Re:

[jeffmeden]

It's simple, get control of a domain and you can redirect all email. Redirect all email and you can reset passwords without needing to ever worry about the actual mailbox password (which is probably stronger than the registrar password but obviously is just as important).

Exhibit A, in which this exact scenario happened:
https://medium.com/p/24eb09e02... [medium.com]

The Start

[Herkum01]

Does this mean we are approaching a preemptive strike from Russia? We always hear about our infrastructure being comprised via the internet, I guess a war with Russia is a good way to find out!

Idiot...luggage

[jtownatpunk.net]

I'm watching Spaceballs right now so I'm really getting a kick out of this story.

many sites still dumb

[jmccue]

I decided why not change the passwords, been a while anyway, 2 of the 3 sites I care about still do not allow what they call 'special characters' (!@# - etc). In this day an age I would think those restrictions would lifted. One day I will try UTF-8 or UNICODE characters and watch the fireworks at the sites. I do not do on-line banking and I have no incentive to start after seeing some finance sites will only accept US English letters and numbers for PWs.

Re:

[heezer7]

Hell, financial sites like ETrade and Charles Schwab still have limitations like this as well.

Re:

[martin-boundary]

That's not a real problem, though. For every special character, just type out it's name in English at the point where you would use it. You'll get a longer password, therefore stronger, without special characters. The real problem is when a site limits the total length of a password.

Re:

[simplypeachy]

But it's special characters! It MUST mean the password is more secure! Wait, you're also saying that using "seventysix" is more secure than "76"? Goodness gracious, man, what is wrong with you? Did you use that "mathematics" thing again?

Re:

[Quirkz]

One version of PHPBB had a bug where it trimmed the special characters (or at least the @) from a password when you *created* it, but not later on when you tried logging in. I had to reinstall a couple of times before I somehow figured out what was going on. Not sure if this bug still exists, as it was many years ago.

Re:

[dargaud]

Ha, for years my bank website used 4-digit pins as passwords... Fortunately that changed. After a major break-in I assume.

Re:

[weszz]

my bank went from unlimited characters to 10 with no special characters...

Took me so long to figure out why I couldn't change my password... Thought there is no way this isn't complex enough... turns out I had to trim 6 characters off it and remove the symbols and such... made for a sad day.

Their response was that it didn't matter because a brute force attack would be locked out long before it could try the other characters.

Much higher than normal != related to 1,2 billion

[zedaroca]

A domain registrar with roughly 3 million domains [wikipedia.org] having a lot of traffic is not a sign that the not so credible 1,2 billion accounts stolen are being used (about the credibility of the claim: The Russian 'hack of the century' doesn't add up [theverge.com] and Hold Security Backlash [theregister.co.uk]).

Maybe someone stole 15 million accounts and are trying them out (way less than 1200 million and way more than normal on their website).

Hahaha

[X.25]

Of course, it could not been any of thousand brute force attacks that is happening every day.

No.

It was a brute force attack by bad baby eating state sponsored Russian hackers, specifically using the imaginary end-of-the-world password list.

Of course, neither the "1.2 billion passwords" list, nor the "they're using it against Namecheap" events were/are cheap advertising.

Nope.

Re:

[wonkey_monkey]

It was a brute force attack by bad baby eating state sponsored Russian hackers

That is a very bad baby.

Did they already catch them then?

[dutchwhizzman]

Why would these "Russian criminals" be the ones behind this attack? Sure, some company that used the argument that there seems to be a list of over 1 billion accounts floating around on the internet to sell their services some time ago. It may even be that this list was found for sale on a Russian market place. It may even been that there are actual Russians selling this list. The accounts could even be mostly real, although probably most of it will be relatively dated.

But why would that same group of people that are actively selling this list be the same group that is using it? It makes much more sense that some group that bought part of this list, or bought some other list, or has their own trojan to steal passwords is now attacking namecheap. Unless there is substantial evidence that the same group is behind it, this is just FUD and sensationalism.

Namecheap is under attack with what's most likely a brute force list with accounts that were compromised in some yet unknown way. I think those are the facts and the rest is purely speculation.

If I had a billion credentials,

[robbo]

for sure the first site I'd attack is obscure registrar namecheap...

Should have used the Kaje Password service!

[garyebickford]

[shameless plug, but apropros] - my company's Kaje Picture Passwords for the Web [ka.je] would have prevented these attacks almost completely. (I say "almost" because, well, "never say never".) We published a press release about this two weeks ago: Bright Plaza offers “Kaje” Website Security Solution to Russian Hacker Password Breach [prweb.com]. Using Kaje, the password is no longer stored on the website so these breaches could not have exposed the passwords. Kaje never knows anything about the user other than

wut

[drinkypoo]

Now is a good time to check that none of your important accounts share passwords.

No, now is a terrible time to check for that. You should not have to check.

You know...

[BringsApples]

...I don't understand why this is so difficult. If I go to youtube, from my PC at home, I am handed a suggestion-list based on past videos browsed (if I use my work PC then I get handed different suggestions). If I change some stuff in my browser (firefox add-ons or the like) then I notice that youtube's suggestions change, but soon learn that it's my PC and eventually suggest the same videos as before (even if I have not looked at those videos since the change). So it seems to me that it's very possible