Collective investigation: how did the database with the Yandex account passwords appear?
After reading the news about the leakage of the Yandex password database and the official statement of Yandex, along with comments, it became clear that the situation was tangled and some people think that the database has leaked from Yandex itself.
Seeing the distrust of users, I decided to compare all the facts and logically identify the most likely option for the emergence of the base:
1. Brutfors;
2. Phishing;
3. Cross check;
4. Leak from users' computers;
5. Leak from Yandex;
6. Leak from special services;
7. The base is made up for a long time from various sources;
8. Through mobile operators (if the phone is attached).
Directly tying passwords like "51iII% jch ^ f6" is almost impossible or impractical, even if there were no protection against brute force. Here, I think, comments are unnecessary.
')
Some users in the comment claim that they have not used the mail since 2005, or have forgotten the password altogether. If these statements are taken as true (a cursory examination of profiles does not reveal anything suspicious), even if phishing does occur, then this database is not a single case of mass phishing.
Again, in the comments claim that the password was only in the mail and on the habr. Hardly broke the password from the habr, and then from the mail. Even if they broke from the habr, then this is not a mass phenomenon (if someone also has this option excluded - write in the comments).
Although this option is possible, but still there are doubts that some users could steal a password in this way. Looking for more convincing examples (if there is - write in the comments).
There are no facts. The only way to refute is to prove the opposite. You can see that if Yandex stores password hashes, then some passwords would have to be brutalized for a very long time. Example: for the md5 hash without a salt from a password with latin small + large + numbers + special characters with a length of 10 characters, there are 96 ^ 10 = 66483263599150104576 variants. To sort out such a number of options, for example, using such a program and a powerful video adapter (take, for example, a speed of 5000M / s), you will need (96 ^ 10/5000000000/60/60/24/365) approximately 421 years or 421 powerful video adapters and 1 year. In this password from the database "03jkd64k57d6t9h6 $! X &" - ​​20 characters, which will require much more time or computing power.
This is some kind of trash base. The special services would have a better base. Below are my comments.
The most likely option in my opinion. Below are my arguments.
Given that Habré is not inhabited by stupid people versed in information security, it can be assumed that the passwords were stolen in some way through a mobile operator. I don’t know if there was a mass phenomenon or not, but recently a friend told me about how he had stolen a considerable amount from Yandex.Money. Previously, before that, he stopped finding a network for his phone. those. SIM card stopped working, as if it was restored in the operator’s office, and the old one was blocked. During this period of time, money was stolen. The operator said that there is no information about this assumption - and issued a SIM card again, because the old one did not work. There is no proof, it is possible that someone will share it if this is a mass phenomenon.
At first I tried searching randomly for passwords with special characters, after which I googled these boxes - I can't find them anywhere on the Internet. I decided to use the small “Vkontakte” loophole that I discovered long ago: I checked who these boxes are registered with on Vkontakte as follows:
1. Click the password recovery;
2. Enter the mailbox;
3. We are asked if this is the page from which we want to recover the password - and displays the Name with the avatar and the city;
4. In the search for vk.com we search by name, surname and city and compare the avatar;
5. If you do not find it, google by name and surname, go through the pages of vk.com from the search, compare the avatar;
6. If you do not find it, use Google search in pictures and copy the user's avatar link, if necessary, add the first and last name to the search;
7. Profit.
Result:
hellraiser84@yandex.ru: 03jkd64k57d6t9h6 $! X &
iurusov.tolya@yandex.ru: hdkYwk * ^ 2v2
Users blocked or page deleted. I did not search for links to pages.
alisa.arhangelskaya@yandex.ru: 51iII% jch ^ f6
vk.com/id108362638
super.denvgj2010@yandex.ru: jgbkcvbf ^ sdlfewi
vk.com/id103201231
(The search did not find a page, but Google found it).
kijaka@yandex.ru: s1gh57NTS %% ^%
vk.com/id64404050
(Found on the avatar through the search for images Google + entered the name of the surname).
Two pages are empty, on the first some spam.
There is no particular pattern here, you need to check more pages, but I still managed to identify some pattern based on other data: a suspiciously popular password was found, after which another user noticed that the logins of these passwords were automatically generated. I noticed that they are scattered in different parts of the file randomly (as an option: maybe not random, because mailboxes may be in the order of registration time. But, considering that the database has 2005 boxes and there are recently registered This option is unlikely and other options too). It seems that these mailboxes are specially mixed throughout the database, so as not to arouse suspicion and confirm the statistics that there are many valid addresses and the database is not fake.
In order to confirm the identical origin of these addresses, we check the mailboxes in the Vkontakte as described above:
vla13854625@yandex.ru
dmi46685101@yandex.ru
dmi16144725@yandex.ru
They are registered with the same name, which again hints that these mailboxes are specially mixed with the rest to increase the size of the database.
It seems to me that “Yandex” is really not to blame here. I tried to put all the facts together, logically reason and identify some patterns that can even prove something indirectly.
I suggest everyone to discuss this issue together. Give arguments for and against these assumptions, or offer your own.
Seeing the distrust of users, I decided to compare all the facts and logically identify the most likely option for the emergence of the base:
1. Brutfors;
2. Phishing;
3. Cross check;
4. Leak from users' computers;
5. Leak from Yandex;
6. Leak from special services;
7. The base is made up for a long time from various sources;
8. Through mobile operators (if the phone is attached).
1. Brutfors
Directly tying passwords like "51iII% jch ^ f6" is almost impossible or impractical, even if there were no protection against brute force. Here, I think, comments are unnecessary.
')
2. Phishing
Some users in the comment claim that they have not used the mail since 2005, or have forgotten the password altogether. If these statements are taken as true (a cursory examination of profiles does not reveal anything suspicious), even if phishing does occur, then this database is not a single case of mass phishing.
3. Cross check
Again, in the comments claim that the password was only in the mail and on the habr. Hardly broke the password from the habr, and then from the mail. Even if they broke from the habr, then this is not a mass phenomenon (if someone also has this option excluded - write in the comments).
4. Leak from users' computers
Although this option is possible, but still there are doubts that some users could steal a password in this way. Looking for more convincing examples (if there is - write in the comments).
5. Leak from Yandex
There are no facts. The only way to refute is to prove the opposite. You can see that if Yandex stores password hashes, then some passwords would have to be brutalized for a very long time. Example: for the md5 hash without a salt from a password with latin small + large + numbers + special characters with a length of 10 characters, there are 96 ^ 10 = 66483263599150104576 variants. To sort out such a number of options, for example, using such a program and a powerful video adapter (take, for example, a speed of 5000M / s), you will need (96 ^ 10/5000000000/60/60/24/365) approximately 421 years or 421 powerful video adapters and 1 year. In this password from the database "03jkd64k57d6t9h6 $! X &" - ​​20 characters, which will require much more time or computing power.
6. Leak from special services
This is some kind of trash base. The special services would have a better base. Below are my comments.
7. The base is composed for a long time from various sources.
The most likely option in my opinion. Below are my arguments.
8. Through mobile operators (if the phone is attached)
Given that Habré is not inhabited by stupid people versed in information security, it can be assumed that the passwords were stolen in some way through a mobile operator. I don’t know if there was a mass phenomenon or not, but recently a friend told me about how he had stolen a considerable amount from Yandex.Money. Previously, before that, he stopped finding a network for his phone. those. SIM card stopped working, as if it was restored in the operator’s office, and the old one was blocked. During this period of time, money was stolen. The operator said that there is no information about this assumption - and issued a SIM card again, because the old one did not work. There is no proof, it is possible that someone will share it if this is a mass phenomenon.
My mini-investigation
At first I tried searching randomly for passwords with special characters, after which I googled these boxes - I can't find them anywhere on the Internet. I decided to use the small “Vkontakte” loophole that I discovered long ago: I checked who these boxes are registered with on Vkontakte as follows:
1. Click the password recovery;
2. Enter the mailbox;
3. We are asked if this is the page from which we want to recover the password - and displays the Name with the avatar and the city;
4. In the search for vk.com we search by name, surname and city and compare the avatar;
5. If you do not find it, google by name and surname, go through the pages of vk.com from the search, compare the avatar;
6. If you do not find it, use Google search in pictures and copy the user's avatar link, if necessary, add the first and last name to the search;
7. Profit.
Result:
hellraiser84@yandex.ru: 03jkd64k57d6t9h6 $! X &
iurusov.tolya@yandex.ru: hdkYwk * ^ 2v2
Users blocked or page deleted. I did not search for links to pages.
alisa.arhangelskaya@yandex.ru: 51iII% jch ^ f6
vk.com/id108362638
super.denvgj2010@yandex.ru: jgbkcvbf ^ sdlfewi
vk.com/id103201231
(The search did not find a page, but Google found it).
kijaka@yandex.ru: s1gh57NTS %% ^%
vk.com/id64404050
(Found on the avatar through the search for images Google + entered the name of the surname).
Two pages are empty, on the first some spam.
There is no particular pattern here, you need to check more pages, but I still managed to identify some pattern based on other data: a suspiciously popular password was found, after which another user noticed that the logins of these passwords were automatically generated. I noticed that they are scattered in different parts of the file randomly (as an option: maybe not random, because mailboxes may be in the order of registration time. But, considering that the database has 2005 boxes and there are recently registered This option is unlikely and other options too). It seems that these mailboxes are specially mixed throughout the database, so as not to arouse suspicion and confirm the statistics that there are many valid addresses and the database is not fake.
In order to confirm the identical origin of these addresses, we check the mailboxes in the Vkontakte as described above:
vla13854625@yandex.ru
dmi46685101@yandex.ru
dmi16144725@yandex.ru
They are registered with the same name, which again hints that these mailboxes are specially mixed with the rest to increase the size of the database.
What is the result?
It seems to me that “Yandex” is really not to blame here. I tried to put all the facts together, logically reason and identify some patterns that can even prove something indirectly.
I suggest everyone to discuss this issue together. Give arguments for and against these assumptions, or offer your own.
Source: https://habr.com/ru/post/236169/
All Articles