The network published a database of 98 million Rambler accounts

At the disposal of the resource leakedsource.com, specializing in information security, got the account database from the service Rambler.ru, which was stolen by intruders back in 2012. It was provided by the user daykalif@xmpp.jp, who is also responsible for publishing the last.fm account database.

Each of the 98,167,935 user accounts contains the username, password, and some other information. Separately, it is worth noting that the passwords are not encrypted and are stored in plain text. The most popular passwords of the database were “asdasd”, “asdasd123” and, of course, “123456”.

As one of the proofs of a leakedsource, it gives a screenshot of the beginning of a database dump:


One of the most well-known habra users - Trin mobilz Zotoff, we asked the following questions about this hacking:
')

1. Why are similar situations constantly repeated?
2. Why were passwords stored in clear?
3. How relevant is the base?
4. What do users do?
5. Those who have the password in the database, "Rambler" will offer to change the password?

I did not see the base itself, but I fully admit that the passwords were in the clear. This is a relic of the past, from which many services can not get rid of until now. In particular, I admit that it was not the main user base of the Rambler that was obtained, but some kind of conventionally “neighboring”, which was used for some old projects. It may contain both irrelevant and incomplete user base.

Why is repeated over and over again? It doesn't matter if the text or password hash is stored in the database, simple passwords like “123456” can be quickly recovered from the hashes. As we can see from the article, out of 100 million users, at least 6 million have very simple passwords. And this is only the top50. I have a dictionary for cracking passwords for 2 gigabytes, a text file, I think that with it you can recover up to 90% of passwords, since people are not always serious about security. Even if the service hashes passwords, they are still multiplied to recover, if they are relatively simple.

2-factor authentication from global hacks exactly save. Even knowing the victim's password, if the authorization is tied, including to the phone, then alas.

For the Rambler, as already mentioned, this is probably a relic of the past. Old services that you do not want to rewrite, compared passwords with just text. However, I saw modern services, who still manage to store passwords in clear text. Moreover, I stumbled upon projects, large projects, modern ones that stored hashes, but the passwords in the open form were next to the table.

Why is this necessary? To know user passwords). Earlier, very very long time ago, even knowing about hashes for some of my projects, I allowed storing passwords in the clear. This was done for the UserFriendly interface. Type ask you to restore the password to the mail and your current password immediately comes to your mail. Sometimes it is more convenient, no need to invent a new one, restore, etc. But I was stupid, of course). Now only hashes, only with salt, etc.

It says February 2012. If we recall the story of Yaku with the restoration of mail for hijacking asek - this base may be relevant for a very long time. Let's say you have long used the box on the rambler, but scored on it. The news about hacking didn’t bother you at all, you don’t use a rambler. But the Rambler remembers all your correspondence, all your contacts, including business contacts, and this information can be used.

Those who do not need boxes on Rambler - delete everything to hell. Who needs - change passwords and include 2-factor authentication.

Typically, such services independently change passwords to users and inform them about it.

According to leakedsource.com, at least part of the database may be relevant, which was revealed in the course of the audit with the participation of one of the journalists of the Hacker magazine.