Yesterday on Habré in the comments to the article about the leak of the Yandex password database, information appeared that a password database from Mail.Ru mailboxes got into the network. We analyzed all the accounts in this database, and we want to talk about what it was and what measures we took.

What happened? Where does the base come from?

Mass hacking, having a specific cause or security hole, did not happen. Analysis of the database showed that, most likely, it was collected in parts from several databases of passwords that were stolen from users at different times and in different ways, including using viruses, phishing, etc.

What gives us reason to think so?

Firstly, a rather large percentage of passwords from the database that has entered the network is currently irrelevant, that is, the box owners have already changed them.
')
Secondly, approximately 95% of the remaining accounts are already passing through our system as suspicious (that is, we believe that they were either created by a robot or hacked). Such accounts are limited in sending mail, and we recommend their owners to change their password.

How it works? We have a complex system, which, starting from registration, analyzes the actions of each account according to a number of criteria (we don’t want to talk about all, so as not to make life easier for attackers, but for example, one of the most obvious is an attempt to send spam from this account or sharp behavior change pattern). In this system, each account has a dynamic rating (called "karma"). As soon as the karma falls below a certain parameter, various sanctions begin to apply to the account, including a strong recommendation to change the password.

Thus, the owners of almost all the boxes from the found database, the passwords for which were still relevant, have long received from us a notification that suspicious activity was recorded from their mailbox and that they need to change the password as soon as possible. Judging by the fact that they have not done this yet, the conclusion is that many of them are “autoregistrations”. Such boxes, as a rule, are not restored after blocking, since it is quite expensive for attackers to bypass the protection for changing the password. Another significant part is the mailboxes abandoned by the owners (after all, it is difficult to actively use the account if you are not allowed to send mail, and a window pops up all the time asking you to change your password).

But what about the remaining 5%?

Yesterday, the owners of these boxes have already received a notification about the need to change the password.

And yet, how were the boxes taken away?

The most common ways to hack mailboxes are phishing, viruses on user computers, and too simple passwords. Another very common situation: users are too lazy to come up with unique passwords for each of their accounts and use a password from mail on forums, torrent trackers, or some other low-protection resources, which are then attacked. As a result, attackers gain access to a whole database of passwords, and then pick them up to other services, first of all, to the boxes, which are often indicated as a login or connection method.

We strongly recommend having a separate and very secure password on your email account, since many other services are tied to it.

What are we doing to protect our users?

We really do a lot in order to prevent the "hijacking" of boxes.

First, we excluded the possibility of MITM-attacks, because the transfer of user data in the web interface, and in our mobile applications, and in POP / IMAP / SMTP in Mail.Ru mail occurs via HTTPS / TLS / STARTTLS. Moreover, in the web interface, HTTPS always operates by default, using Strict Transport Transport Security (STS) technology, which forces the browser to always contact Mail.Ru immediately via HTTPS.

By the way, in contrast to the same Yandex, our main page also always works on HTTPS and is protected by STS, which makes it impossible to steal a password through the SSL Strip attack.

It is also impossible to intercept the password from Mail.Ru through the MITM attack of the IMAP service, since our IMAP service always and everywhere works only on TLS / STARTTLS. This is important, since it is the IMAP service that is most exposed to this attack, since it is often used on mobile applications, and it is most convenient to listen to traffic from Wi-Fi-networks. In addition, some e-mail services are neglected by such protection, and attackers know about it.

I would also like to note that the leakage of such data from within the company is practically excluded. Access to production servers and databases is strictly regulated. In addition, the passwords of Mail.Ru users are stored in an encrypted and “salty” form (that is, additional data is mixed in when encrypting the passwords). This means that even the theft of the password database does not allow its decryption. But the theft itself is impossible thanks to a multi-level security system.

so

We are trying hard to protect our users. Only in the last year or two we have implemented a number of large security features, for example, forced HTTPS in the Mail and on the main portal page, content security policy, separation of sessions on the portal, and much more. Launched the Bug Bounty program.

Unfortunately, all our efforts will be in vain if the user does not do his part to protect the mailbox. We, like many other Internet services, constantly talk about this to users, including on Habré, where we had a very detailed post about how to hack boxes and what needs to be done to protect our data. We are not going to talk about them in detail right now, we recall only the main ones: the password for the Mail should be a) complex, b) unique and c) it is desirable to change it regularly (ideally - at least once every three months).