Sometimes only brutal hacking attacks leads us to think about the security of our private information and virtual life. Last week email addresses and related the passwords of 4,929,090 users of Gmail, Yandex and some other services were published on one of the most trusted Russian cryptocurrency security forums – BTCsec.com.
On September 9, user tvskit from Russian Bitcoin security forum BTCSec.com, first reported the dump of the 28.7 MB file containing more than 4.92 million of Gmail accounts and passwords, as well as several thousands of credentials from Russia's largest email service Yandex. According to the user, 60% of these credentials are valid. Since then, a forum administrator purged the passwords from it.
This is not the first hacker attack in the network, but stealing of almost 5 million accounts is indeed shocking fact. Why, who did this, was it a single theft or were hackers collecting all this information for years?
Ivan Tikhonov is the founder of the BTCsec.com and Bitcoin expert. Moreover, he is a Bitcoin activist since 2011, and helps people learn about Bitcoin technology and benefits. We were able to get an exclusive interview with him and ask the most important questions about the case.
Nina Lyon: In my opinion BTCsec.com is one of the most popular and reliable sources for the Russian speaking crypto community. The fact that so many addresses and data’s were hacked and published shocked a lot of people and most of us are searching for the answer –how and why? Maybe it's a soft spot in the email system or the information was leaked from a third-party service, and most importantly - who could get access to this information? Maybe you could also tell us what was your reaction when you saw this list?
Ivan Tikhonov: The market of email addresses and database sales existed for some time before, but it never reached such a large drains of databases in public access. BTCsec.com is not the primary resource of these bases but we were among the first who published this bases but removed passwords. It was done so that people could check out if their mailboxes are in the list. But as far as there are no passwords in the list – no additional malicious intent from third party is possible.
The main purpose of the publications was reached - the broad resonance in public, articles in the media, and reports on television. Users now pay more attention to the security of their data, postal services also responded and locks doubtful or compromised accounts.
Speaking about the primary source database – it is obvious that this is not a simple leak from a single resource but a collected base from different resources that was collected over the years. At the time of publication, the list of hacked Yandex accounts was quite up-to-date but Google was valid only for 60%, moreover there were addresses from Yandex, Yahoo and others too. Though, many users admitted that some passwords were never used for these mailboxes while other [passwords] were outdated or changed 8-10 years ago. It is worth mentioning that a lot of accounts in the list were up-to date.
I talked to many people who have found their data in the list. And the most interesting cases were not about passwords that do match to the box or was used previously for these accounts, but the cases when the password to the mail account has never been used, though users admitted that this is the password that they use on other sites. Most of these were the passwords for some single-use accounts on fishy websites. Sometimes people say that they used a password on fishy sites but never used/entered for the email mentioned in the list. So we may make two possible conclusions: first - people are mistaken as many of them couldn’t remember and name services they used these passwords at. The second - that the algorithms hackers use to collect data improves and now they are able to connect disparate data from multiple sources into a single database.
Also the analysis of passwords in the database showed that there were both very simple passwords like 123456 or qwerty123 and complex that are difficult to get/match by brute force or dictionary attack. This means that some of the base could be made by running spammer databases dictionary of the most often used passwords, some were collected from compromised resources, some stolen via phishing, Trojans and other malicious software.
Recently, a series of high-profile break-ins using the error in the OpenSSL library, so-called Heartbleed, it is possible that the part of this database has been collected with because of this error.
Today there are various ways how to cheat the user. For example: the scammers create a website that looks like a real one. The user goes to this website and feels no issues and goes to the other tabs in the browser. When the malicious site understands that the user is watching the other tabs and it changes its contents to a copy of one of the services the attackers want to get access to. The user remembers that there were nothing suspicious in the tabs he just opened, so he or she clicks the tab of this “changed” site without checking the address bar or certificate and enters the real data to access. After receiving the required information fraud site throws the user to this website service so the user doesn’t even realize that his data were just stolen.
Nina Lyon: That’s true. This is interesting but a couple of my friends found their accounts in the list and admitted that it was their single-use address. Now they realized that such a danger does exist and now they do think about protecting their data.
Ivan Tikhonov: The information about the first Yandex database being stolen was published on the forum but never received effect. but I saw quite active reaction on habrahabr.ru after the publication of the post a day after from some member called lagudal. That is why, after the publication Mail.ru and Gmail.com databases I also began to create such a topics:
- 4.5 million passwords from Mail.Ru mailboxes
- And now gmail.com: almost 5 million addresses published
It helped make people pay attention for real.
Nina Lyon: Also, I have a strange feeling - why would anyone decide to publish nearly 5 million addresses now? And if there is some underlying reason that most of stolen addresses belong to Russian-speaking users?
Ivan Tikhonov: Why these databases became widespread right now or whether it was planned or spontaneous leakage – I have no exact answer. Speaking about Yandex and Mail.ru, I agree that most of them are Russian-speaking audience. But the largest database, Gmail.com, was global. I received a lot of messages from people all over the world asking to verify their addresses. Also there are databases of the lesser-known foreign services that were also hacked or stolen but received less publicity.
I read a lot of speculations and opinions that it was planned publication aimed to tighten the nuts sink in the future, so to make laws and oblige, for example to use the telephone number identification, or even to make everyone use new governmental mail service. I wouldn’t ignore such possibility but I must note that we have very popular conspiracy theories, even too popular. I wouldn’t attribute the conspiracy to banal stupidity or carelessness.
Nina Ray: As a journalist I wanted to ask your opinion – maybe it is an example when we must look on Bitcoin technology of security and anonymity as an option to improve archaic registration system and passwords on different websites?
Ivan Tikhonov: If we speak about the identification system improvement – I think it is an expected step that must be taken but not only because of such a leaks and hacker attacks . If we take a look on the recent laws taken in the Russian Federation you can easily see their direction/intention. I may remind you a few: the mandatory /obligatory identification of network users, ban of anonymous Wi-Fi, ban to fund transfers between the unidentified accounts of citizens, and increased limits on transfers, draft bill of equating virtual currency to monetary surrogates and their ban, popular bloggers and websites registration and disclosure. There are others but the intention can be seen - laws aimed to make greater transparency and reduced or eliminated anonymity of citizens. So I wouldn’t be surprised if they add mandatory identification by checking mobile phone numbers.
Speaking about how Bitcoin technology could help in this case – I've been talking about adding more decentralized services. Of course we cannot exclude the human factor, but such a service can protect us from large centralized services being hacked. The first steps to make this possible are already taken, for example bitmessage, but a lot of things must be improved in this technology, it is only in its infancy. I would like to see something that binds the functionality of gmail and skype on a decentralized basis. Such a product is destined to become popular.
Did you enjoy this article? You may also be interested in reading these ones: