Yahoo Breach Could Mean Your Other Services are Compromised

With the recent attack on Yahoo Voices servers on Wednesday, which resulted in over 400,000 accounts being compromised, it is important to understand how to assess the integrity of your account. If you have any suspicion that you could be affected by this (and any other) breach, it is time to comb through your accounts and change some passwords. First, some precautions:

You can’t assume the only information the hackers have is the information that was publicized. Just because some hacker group publishes a list of email addresses and still encrypted passwords, it is not wise to assume that is the only information they have on you. Most of the time account information is in the same database, so getting into the servers would grant the hackers access to EVERYTHING stored on that disk. This can include your full name, street address, phone numbers, et cetera. If the database even has payment information on the same database (less likely, but still possible), your credit card information could even be at risk. So the point is you need to consider the possibility that all information that website has on you has been compromised.

Cracked account passwords and emails can be used to get into any services which use those credentials. Think like a hacker would; once you have someone’s email address and password, what would you do with them? The first thing I would try (if I was evil) would be to go to the email provider (Gmail for addresses, Yahoo for addresses, etc.) and try to log into the account with the cracked credentials. If this situation has you worried because you have the same password to get into your email, I would strongly recommend you change it – preferably to something that no other account uses. If a hacker gets into your email, this is an extremely bad thing, because they can then send password reset emails to themselves and basically control any account you own. They will comb through your deleted emails, search your inbox for “password” or “account info” and probably uncover a ton of goodies to look through. Don’t let this happen – if there is any one account that you should keep most secure, it is your email account.

Just because your password hash was leaked, it does NOT mean your password was cracked. All modern databases store your plaintext password in “hash” form, or a highly mathematical function that is extremely hard to reverse. If your password was “dog”, the hacker will not see the plaintext, but will instead see “06d80eb0c50b49a509b49f2424e8c805”, which is the MD5 hash for “dog”. If you have an extremely secure password (tips discussed in a bit) you might not need to worry that the hashes have been published. If the hackers cannot crack the hash then your password is still valid and not compromised. However, it is good practice to assume your password was cracked and change it anyway 😉

Choose secure passwords! Honestly this should be the first paragraph. There is no excuse for not having secure passwords on your accounts. There are a variety of methods hackers can use to crack your credentials – bruteforce attempts involve enumerating all possibilities of your password for every length. Dictionary attacks use a method of comparing your hash with the hash of all words found in a dictionary file; and these are no ordinary dictionaries… they contain many combinations of words and numbers, character sequences that are commonly used as passwords. Mask attacks use the password policy to their advantage by simplifying the bruteforce attack. If the length of your password has to be from 6 to 8 characters, and contain at least one number, that information can be used to make the bruteforce method return valid passwords.

So why can’t the hackers just crack every password then? Well theoretically I guess they could, but one major downfall of the hacker is time. If it takes too long to perform some task (as a hacker), he/she might just give up after awhile. Thankfully there are ways to protect yourself from both dictionary and bruteforce methods of authentication cracking…

  • Bruteforcing involves trying every possible combination of letters, numbers, symbols. Depending on the size of the character set, this can take a LONG time. To understand just how long it takes to bruteforce some passwords, lets take an example password: “dpkj” – Four characters, lower-alpha character set (26 possibilities for each character). My desktop has two NVIDIA 9800 graphics cards (moderately old) and can crack around 300,000,000 passwords a second using a GPU bruteforcer.
    To enumerate all lengths up to the password length (a,b,…,z,aa,ab,ac…,zzzz), it would require 26^4 comparisons, or around 450,000. Since my GPUs can compare 300M hashes a second, it would take my computer about .0015 seconds to crack that password. Obviously not secure. Let’s try another… “qweqweqweqwe” would take 26^12 comparisons and around 3,680 DAYS to crack on my modest computer. As you can gather, length is extremely important in bruteforce protection. Ensuring your password is at least 8 characters will protect you from most non-determined hackers (those that aren’t after you specifically). You can also increase the time it takes to crack by introducing a larger character set. Although it isn’t as effective as long passwords, adding a $ symbol or a capital letter and some numbers to your password will make it harder to crack.
  • Dictionary attacks are effective depending on the dictionary used. (Here is a useful list of free dictionaries available for download!) These dictionaries can contain over 23 million passwords to compare. If your password is “apple123”, there is probably a line in most english dictionaries that match it. As you can most likely gather, length is of less importance here, and the best way to protect yourself from dictionary attacks is to not use any dictionary words. Now, this can make your password hard to memorize, so opting for a middle ground is a good start. Using “leetspeak” can be a good idea, although most modern dictionaries account for “4pp13” instead of “apple”, or “h4110w0r1d” instead of “helloworld”, so be creative! Adding random symbols is a great way to combat dictionaries because it isn’t as likely to match those symbols with lines in the dictionary file.

Now, I am not saying you will 100% be protected if you follow these, but many large breaches like the Yahoo breach mentioned above or the LinkedIn breach that happened in August/June of this year are bulk attacks on the database itself, not targeted attacks on your own account. So we can hope that the hackers that performed the breach will not bother spending days upon days trying to crack all of the passwords gathered.

 The bottom line: Stay calm, and properly assess the integrity of your online accounts!

Stay safe!