Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Crime Security

13,000 Passwords, Usernames Leaked For Major Commerce, Porn Sites 149

The Daily Dot reports that yesterday a "group claiming affiliation with the loose hacker collective Anonymous released a document containing approximately 13,000 username-and-password combinations along with credit card numbers and expiration dates." Most of the sites listed are distinctly NSFW, among other places, but the list includes some of the largest retailers, too, notably Amazon and Wal-Mart.
This discussion has been archived. No new comments can be posted.

13,000 Passwords, Usernames Leaked For Major Commerce, Porn Sites

Comments Filter:
  • Last ones you needed 3D to really get into them, few have 3D sets. I have 3D and bored fast with my selections.

  • by Anonymous Coward

    As indicated in the article, this is probably due to malware. The list of sites affected is large while the number of released account details is small. Malware usually doesn't even need to keylog anymore, it can just fetch passwords from the browser password store.

    With this in mind, changing your password now will likely not have a major effect (unless you are on the list). Since most people don't have the malware, and those that do will probably still have it when they update their account. Just wait a bi

    • by Anonymous Coward

      Haha, nice try anon, but you're not tricking me into giving you more time to mess with my porn accounts.

    • by houstonbofh ( 602064 ) on Saturday December 27, 2014 @01:48PM (#48680685)
      And even if ALL 13000 were Amazon, that is a tiny percentage of accounts. It would be nice if they had posted the link so you could look for your name. Now it is hidden so the people least likely to be on the list (those with enough clue not to install the malware) can find it in a few minutes, but those most likely to be on the list will have no clue how to...
      • by thogard ( 43403 )

        It could have been a small subset of a larger leak. Perhaps 13,000 out of millions that just happen to have the same seed values so they could be cracked easier. Of course then someone would have had to try those 13,000 against some of the top 100 web sites in the world but that should have left their fingerprints in logs all over the world.

    • by raymorris ( 2726007 ) on Saturday December 27, 2014 @01:55PM (#48680725) Journal

      Most of the listed sites have far more than 13,000 registered users, so access to the member database of just ONE of the sites would have yielded a much larger dump.

      Also, some of the sites store only a properly salted, modern hash of the password, so there's almost no way to get passwords from the sites' servers.

      It's pretty clear the hack is in the client side. We may have a look to see of the logs go back far enough to tell us which browser version, OS, and toolbars or addons those members were using.

      Source - I designed the authentication and authorization systems for some of those sites.

      • Relax... It is totally obvious that this was a malware dump to anyone who is not a technical journalist. :)
      • by Anonymous Coward

        Some of it is probably just stuff from simple phishing sites. People are dumb.

      • by Tom ( 822 )

        It's pretty clear the hack is in the client side.

        The list of sites alone is clear enough on that, even if you know nothing about them. Someone just had a little lolz with the botnet he owns anyways. TFA advise is totally bogus: They don't post the list of sites to advise people to check their accounts, they do it because it's their excuse for posting a list of x-rated stuff on a non-x-rated site. Pure sensationalism.

        We may have a look to see of the logs go back far enough to tell us which browser version, OS, and toolbars or addons those members were using.

        Or which desktop dancing nude woman they installed, or old version of flash player they use, or any other of a thousand possible problems.

        Mos

      • And you decided to go with salted hashes instead of scrypt/bcrypt/etc. why?
        • by raymorris ( 2726007 ) on Saturday December 27, 2014 @06:43PM (#48681953) Journal

          Both brypt and scrypt would PROBABLY work, especially bcrypt, but they're designed for a different use. What you want for password storage is confidence that if the bad guy gets F(plaintext,salt), (the hash) they can't derive the plaintext. It's a one-way trap door - you can compute the hash from the plaintext password, but not the other way around. You do not care about any aspects of the output, other than that it can't be used to infer the input (and that it has a guaranteed reasonable maximum length).

          For a key derivation function, it's ALL about the output. You're trying to create output that has particular attributes, such as pseudo- random bits, long length, and bonus points if they length can be extended to go on forever.

          Key derivation algorithms sometimes work okay as hashes (for password storage), but almost by accident. That's not what they're designed for. To achieve the very different goals of KDAs, they tend to be much more complex, and therefore much more likely to contain subtle undiscovered weaknesses. I'd rather use something designed for the job at hand. I wouldn't, however, say someone is WRONG to use bcrypt for the purpose. If a student turned in a project that used bcrypt for password storage, I wouldn't mark down their grade. It's just not my personal preference.

          • As it happens, I'm trying to make a good KDA right now at work, for very specific interpretations of the word 'good'.
            I may be done in a year or two.

          • by Fweeky ( 41046 )

            Er, not really? You want a well-optimized function to turn a password into a very big unpredictable number in a way that's computationally complex, and that's precisely what KDFs are made to do. The entire crux of your argument against such use seems to boil down to "but they sometimes let you specify how big a number you want", as if this added complexity and risk somehow massively outweighed that created by rolling your own slow crappy little alternative.

            • > really? You want a well-optimized function to turn a password into a very big unpredictable number in a way that's computationally complex

              You want the hash algorithm to be SLOW, not "well optimized"

              You don't care about turning it into an unpredictable number.

              You don't want it to be computationally complex. In fact you sometimes enforce O(1) time, you don't want a longer or different password to take longer to hash, because that facilitates timing attacks.

              "Rolling your own slow, crappy"? Like I mentio

              • by Fweeky ( 41046 )

                You want the hash algorithm to be SLOW, not "well optimized" ... You don't want it to be computationally complex.

                How do you make an algorithm that's slow without being computationally complex? Writing it all in PHP doesn't count.

                The algorithm has to be slow because it's a lot of work. Your implementation has to be fast to maximise the security benefit of using it in the first place.

                You don't care about turning it into an unpredictable number.

                What else do I want a hash function to return?

                In fact you sometimes enforce O(1) time, you don't want a longer or different password to take longer to hash, because that facilitates timing attacks.

                Pad your inputs and use constant time comparison functions, kids.

                • Look up "computational complexity" sometime. A computationally complex algorithm is one that gets much slower as the input gets longer. For small inputs, low-complexity algorithm can be, and probably will be much slower than a high a complexity algorithm.

                  For password hashing, you want the very lowest possible complexity - constant time. Low complexity, constant time, doesn't mean fast; it means that the time and space required is the same for any legal input. If it's slow for all inputs, that's low co

                  • by Fweeky ( 41046 )

                    Yes, I used "computationally complex" to mean "takes a lot of steps to complete". You and your "words mean stuff", stop evading the point.

                    Why is a KDF like PBKDF2, bcrypt or scrypt, a poorer option for password storage than rolling your own? Please use words which mean stuff.

                    • > Why is a KDF like PBKDF2, bcrypt or scrypt, a poorer option for password storage than rolling your own?

                      Rolling your own is stupid. I never said using a good KDF was worse than rolling your own algorithm of unknown quality and unknown behavior.

                      In fact, I said bcrypt specifically is acceptable, that I wouldn't take points off your grade for using bcrypt. A better choice is a properly vetted hash that's designed as a hash, such as SHA256. Using a KDF as a hash is like using a butter knife as a screwdri

                    • by Fweeky ( 41046 )

                      A better choice is a properly vetted hash that's designed as a hash, such as SHA256

                      ... which you then need to, at a minimum, apply salting and key stretching to. Good work, you just rewrote most of PBKDF2, just without the peer review, sane defaults, and for most people, probably in a language where the function call overhead exceeds the cost of the hashing.

                      Using a KDF as a hash is like using a butter knife as a screwdriver - it gets the job done, and professionals normally use the tool designed for the job rather than substituting.

                      Hashes are not designed for password storage, that's the entire reason we're having this conversation in the first place. People use KDF's for password storage because that's what they're made for. Anyone who uses a plain old hash h

                    • > a minimum, apply salting and key stretching to.

                      It's not being used as a key. Key stretching would be pointless. You stretch to get a longer key if your goal is to derive a strong key - a Key Derivation Function. Password hashes aren't used as xryptographic keys. They're stored, period. They say "when all you have is a hammer ..."

                      KDFs are for key derivation. That's why they're called key derivation functions. How is that hard to understand.

                    • by Fweeky ( 41046 )

                      It's not being used as a key. Key stretching would be pointless. You stretch to get a longer key if your goal is to derive a strong key

                      You want a strong key! Key stretching isn't just about making a physically longer key, it's about making a stronger one, such as by iterating your hash function a million times.

                      KDFs are for key derivation. That's why they're called key derivation functions. How is that hard to understand.

                      This is not in question. What is in question is why it's not exactly what you'd want out of a password hashing function - what difference does it make whether you're going to pass it to AES or to a comparison function?

    • by tlhIngan ( 30335 )

      As indicated in the article, this is probably due to malware. The list of sites affected is large while the number of released account details is small. Malware usually doesn't even need to keylog anymore, it can just fetch passwords from the browser password store.

      With this in mind, changing your password now will likely not have a major effect (unless you are on the list). Since most people don't have the malware, and those that do will probably still have it when they update their account. Just wait a bi

  • Download link? (Score:4, Interesting)

    by Anonymous Coward on Saturday December 27, 2014 @01:46PM (#48680679)

    The worst part about them being somewhat vague about which sites are compromised (amazon.com? .uk? .eu? .mars? .SetiAlphaV?) is i need to download the list now to check if my username, password and especially credit card number is on there and doing so potentially makes me a criminal. I'm not going to cancel my credit card on the off chance.

    When this kind of things go down a news source should show ONLY the usernames so at least people have a hint that they need to cancel their credit cards.

    • by hawguy ( 1600213 )

      When this kind of things go down a news source should show ONLY the usernames so at least people have a hint that they need to cancel their credit cards.

      Since in many cases the username is the users email address, many people would not want the world to know that their password to pleasebangmywife.com was compromised.... Especially not their wife.

      • Are you serious? The pleasebangmywife.com guys would love the extra advertising! It is the bronies that are ashamed.
    • It's likely few if any of the major retailers are compromised. In fact, I'd say it's probably NONE of the sites have been compromised at all. This is probably nothing more than a list of people infected with a particular piece of malware which has extracted their passwords. The broad range of sites, both retail and adult-themed, seem to bear this out. The malware was probably just harvesting passwords with a keylogger or had extracted them from the browser.

      You can generally tell when a breach occurs wit

  • by Presto Vivace ( 882157 ) <marshall@prestovivace.biz> on Saturday December 27, 2014 @01:53PM (#48680711) Homepage Journal
    How does this stunt make the world a better place? I just don't like online vigilantism. I also hate Guy Fawkes masks.
    • How does this stunt make the world a better place? I just don't like online vigilantism. I also hate Guy Fawkes masks.

      And remember, these are not "hackers", they are "security researchers".

    • by itzly ( 3699663 )
      Who said anything about making the world a better place ?
    • by Anonymous Coward

      There is no group "Anonymous". It was just the handle given to people that didn't log in to 4chan. It's like Slashdot's "Anonymous Coward". Some of the 4chan users took to talking about themselves as if they were a group and the media picked up on this and ran with it. The media and random people began attributing characteristics to this imaginary group, like "hacktivism." and "lulz". But the reality is that there is no Anonymous at all. Anyone telling you the group has some particular aspect or chara

  • by wonkey_monkey ( 2592601 ) on Saturday December 27, 2014 @02:05PM (#48680763) Homepage

    13,000 Passwords, Usernames Leaked For Major Commerce, Porn Sites

    Replacing the word "and" with commas pointless, annoying.

  • List removed (Score:5, Informative)

    by RyoShin ( 610051 ) <tukaro@gma i l . com> on Saturday December 27, 2014 @02:09PM (#48680777) Homepage Journal

    The list that was posted has apparently been removed [ghostbin.com] (if you can get to the site, which seems to be under heavy traffic with people looking for it). Furthermore:

    While it's difficult at this point to definitively know how the hackers acquired the material, Chris Davis, a cybersecurity researcher and fellow at the University of Toronto's Munk School of Global Affairs, hypothesized that one likely possibility, based on the information contained in the leak, is that the hackers made use of a botnet. "The list of credentials [in the published list] fits that bill pretty well," he explained.

    Malware explains the odd collection of websites, relatively small number of accounts, and supposedly-plaintext passwords. So anyone affected who changes their password will just have that new password picked up unless they've exorcised their computer.

  • xx,000 (Score:4, Interesting)

    by gmuslera ( 3436 ) on Saturday December 27, 2014 @02:22PM (#48680843) Homepage Journal
    That is pocket change compared with the 38 millon Adobe users [krebsonsecurity.com] of last year or the 7 millon dropbox users [techly.com.au] last october.. Even Sony hack of the data of internal users were in those order of numbers.
    • When you write comparisons like this you need to start with the smaller numbers at the beginning otherwise the last ones seem less important.

  • by Anonymous Coward on Saturday December 27, 2014 @02:38PM (#48680939)

    Took me less then 5 minutes to figure out this is a click bait scam using collections of older password leaks and money for clicks URL referers. And the 'news' are eating it raw, generating fear and helping it spread. Which is exactly how this scam was designed to work.

  • by Viol8 ( 599362 ) on Saturday December 27, 2014 @02:54PM (#48681023) Homepage

    Not.

    Just fuck over 13K people who've done neither you nor anyone else any harm why don't you, you sorry little teenage dickheads. True hackers used to have either a moral or a technological purpose. Now its just a bunch of children vying for bragging rights on 4chan and screw anyone who gets hurt.

  • by Anonymous Coward on Saturday December 27, 2014 @02:56PM (#48681027)

    DataBreaches.Net is carrying an article saying that the leaks are nothing new.

    http://www.databreaches.net/verifying-leaks-uncovers-fake-leaks/

    "Posted by @Cyber_War_News to Pastebin today:

    Today has been interesting, to say the least.

    Skipping all the bullshit lets get right to the main stinky shit.
    Anonymous twitter user @AnonymousGlobo announced earlier today this:
    https://twitter.com/AnonymousGlobo/status/547426305151860736
    https://twitter.com/AnonymousGlobo/status/548537460691857408

    Now after working with data leaks for years now it became clearly obvious to me that this was fake. why?
    because real leaks do not get combined, real leaks often have a common format, the targets attacked have accounts leaked daily from phishing and other simple methods."
    [more snipped]

  • why doesn't amazon support two-step authentication yet? it's ridiculous. my twitter account seems to have more security than the site I spend actual money on.

    • by qwak23 ( 1862090 )

      Maybe they figure that by the time you get through the second step you'll have reconsidered buying a blender that plays "margaritaville" while it blends.

The aim of science is to seek the simplest explanations of complex facts. Seek simplicity and distrust it. -- Whitehead.

Working...