1,000,000 already broken passwords are publicly available. How we protect users of Yandex
Yesterday night in several places, including on Habré , information appeared about the base of passwords for some accounts on Yandex. Over the past few hours we have carefully analyzed it and came to the following conclusions. First, we are not talking about hacking Yandex - the data became known to attackers as a result of virus activity on infected computers of some users or phishing. This is not a targeted attack, but the result of collecting compromised accounts for a long period of time.
We already knew about 85% of compromised accounts from this database through the analysis of their behavior or other means . We warned their owners and sent them to change the password, but they did not. This means that such accounts are most likely abandoned or created by robots.
Checking if you are on the list is very simple - try to go to Yandex.Mail now. All the owners of the remaining accounts that night we sent to force a password change.
')
Of course, we do not store passwords in clear text, never transfer them over the network in clear text and do not open them to any third parties. Moreover, most of these passwords are too simple, and now they could not even be set. Technical and not very details read under the cut.
Yandex user data, of course, is not stored in the open: we use a “salted hash” with very long (48 bit) salt. We are not talking about a “mole” - passwords are “leaked” from users, and not from Yandex.
These passwords could not be obtained as a result of passive network sniffing: in Yandex for a long time all situations in which a password is transmitted are protected by TLS. For example, in the Mail for the POP3, IMAP and SMTP protocols, STARTTLS or protocol variants with TLS enabled are used. In the web version, the password is sent to passport.yandex. * Via https, while for these addresses not only HSTS is used, but also they are placed in the so-called preloaded list for Chrome, Mozilla and Yandex Browser browsers. Thus, the traffic on the Passport always comes on https. All this allows us to exclude the version with sniffing.
In our opinion, the published list of passwords is the result of long-term work: it is partially filled with data that was clearly obtained at the time they were entered by the user, either using a keylogger or through phishing. In addition, the cross-check situation is not excluded: if a user uses the same password on different resources, hacking on one of them leads to compromise of other user accounts.
Among compromised passwords, there are some (for example, “qwerty”) that can no longer be established: for a long time we included them in the stop lists. That is, the published list contains very old passwords, which we checked in our databases. This may explain why some commentators write that they found a login in the database that they have not used for a long time. He could have been compromised not last week, but several years ago.
According to our internal data, about 85% of the logins on this list were already known to us as compromised. In this case, at the time of publication of the list, they were already asked to change the password, but they did not. This suggests that living people do not use these boxes, and the bots stopped using when the password change flag was set (there you have to enter a captcha, and usually the bot-masters prefer not to buy its recognition, but simply to drop the account).
Just in case, we refute and speculate about the provision of access to special services employees to Yandex servers. We do not give anyone any passwords in the clear, nor even their hashes. Employees of the FSB, CIA, NSA, Mossad and other ORM subjects do not have access to Yandex servers. Access to the contents of the mailbox may be granted solely by court decision.
Thus, we exclude versions about the leakage of passwords from Yandex, and we believe that the database could have been filled either with phishing, or with compromised users' computers, or with a cross-check.
Hacking a password does not mean hacking service. Passwords can be compromised due to the fact that there are viruses on the user's computer that transmit information about personal data to intruders. Or “leaked” as a result of phishing, when the attacker's site looks like a real one, and the user enters a login / password pair there. It also happens that users register on different questionable sites, choosing the same password as the mailbox from which they are registered.
Phishing, cross-checking and password leakage from users' computers due to viruses is a constant problem of many popular services, and not the result of a one-time and targeted user attack.
In the end, I would like to once again recommend everyone to choose complex passwords and change them regularly. Do not be lazy to once again give a link to our favorite site on this topic: security.yandex.ru .
We already knew about 85% of compromised accounts from this database through the analysis of their behavior or other means . We warned their owners and sent them to change the password, but they did not. This means that such accounts are most likely abandoned or created by robots.
Checking if you are on the list is very simple - try to go to Yandex.Mail now. All the owners of the remaining accounts that night we sent to force a password change.
')
Of course, we do not store passwords in clear text, never transfer them over the network in clear text and do not open them to any third parties. Moreover, most of these passwords are too simple, and now they could not even be set. Technical and not very details read under the cut.
Yandex user data, of course, is not stored in the open: we use a “salted hash” with very long (48 bit) salt. We are not talking about a “mole” - passwords are “leaked” from users, and not from Yandex.
These passwords could not be obtained as a result of passive network sniffing: in Yandex for a long time all situations in which a password is transmitted are protected by TLS. For example, in the Mail for the POP3, IMAP and SMTP protocols, STARTTLS or protocol variants with TLS enabled are used. In the web version, the password is sent to passport.yandex. * Via https, while for these addresses not only HSTS is used, but also they are placed in the so-called preloaded list for Chrome, Mozilla and Yandex Browser browsers. Thus, the traffic on the Passport always comes on https. All this allows us to exclude the version with sniffing.
In our opinion, the published list of passwords is the result of long-term work: it is partially filled with data that was clearly obtained at the time they were entered by the user, either using a keylogger or through phishing. In addition, the cross-check situation is not excluded: if a user uses the same password on different resources, hacking on one of them leads to compromise of other user accounts.
Among compromised passwords, there are some (for example, “qwerty”) that can no longer be established: for a long time we included them in the stop lists. That is, the published list contains very old passwords, which we checked in our databases. This may explain why some commentators write that they found a login in the database that they have not used for a long time. He could have been compromised not last week, but several years ago.
According to our internal data, about 85% of the logins on this list were already known to us as compromised. In this case, at the time of publication of the list, they were already asked to change the password, but they did not. This suggests that living people do not use these boxes, and the bots stopped using when the password change flag was set (there you have to enter a captcha, and usually the bot-masters prefer not to buy its recognition, but simply to drop the account).
Just in case, we refute and speculate about the provision of access to special services employees to Yandex servers. We do not give anyone any passwords in the clear, nor even their hashes. Employees of the FSB, CIA, NSA, Mossad and other ORM subjects do not have access to Yandex servers. Access to the contents of the mailbox may be granted solely by court decision.
Thus, we exclude versions about the leakage of passwords from Yandex, and we believe that the database could have been filled either with phishing, or with compromised users' computers, or with a cross-check.
Hacking a password does not mean hacking service. Passwords can be compromised due to the fact that there are viruses on the user's computer that transmit information about personal data to intruders. Or “leaked” as a result of phishing, when the attacker's site looks like a real one, and the user enters a login / password pair there. It also happens that users register on different questionable sites, choosing the same password as the mailbox from which they are registered.
Phishing, cross-checking and password leakage from users' computers due to viruses is a constant problem of many popular services, and not the result of a one-time and targeted user attack.
In the end, I would like to once again recommend everyone to choose complex passwords and change them regularly. Do not be lazy to once again give a link to our favorite site on this topic: security.yandex.ru .
Source: https://habr.com/ru/post/236007/
All Articles