In a chat today lasting over an hour, we got to talk to a person claiming to be the infamous hacker behind RockYou‘s latest data security woes.
While he claimed to have no animosity toward users, he had one clear message for websites: Take better care of your customers’ data. RockYou isn’t the only hacked site storing plain text login information, either.
To bring us all up to date, here’s the gist of the story so far: The hacker, who we’ll call Tom (not his real name) for brevity’s sake, tells us that he used an SQL injection to gain direct access to RockYou’s database, where he found login information for more than 32 million user accounts. The data was all in plain text and contained third-party site logins, as well.
Tom sat on this information for a while. Although he’s posted about similar hacks in the past, he also claims to have exposed the same vulnerabilities and gained access to the same kind of data for many major U.S. sites. Tom wouldn’t reveal which sites he’d hacked, but he did say that he has no intention of using or publishing the data he’s unearthed.
But yesterday, incensed by this warning from an Internet security company and RockYou’s claims that only some accounts had been compromised by the security breach, Tom posted about the hack on his blog.
Why This Is a Bad Thing
One of the more interesting facets of the story is RockYou’s failure to appropriately protect user’s login credentials. The hacker showed us an image containing the last few lines of a 32,603,388-line, seven-column dataset weighing in at 276 MB. All the data we saw was in plain text; any grade schooler could have used this information to log in to users’ accounts.
“If you don’t store passwords for accounts, if somebody hacks you, what can he do? Deface your site. The end,” said Tom.
“That’s nothing against 32 million emails with passwords. Count how many of them have PayPal. If I check every one, and only 10 percent of them have it, and I take only $10, it’s a pretty nice amount, don’t you think?”
The hacker makes an excellent point with this object lesson, and he clearly holds RockYou and its ilk squarely at fault.
Tom, who says he’s employed in a good security-related job, believes there should be laws requiring companies to encrypt user data. He said, “They are now hunting for me, but why? I didn’t do anything wrong. They should now be in jail because they put all of these people at risk. This was just for illustration.”
What We Can All Do
Tom says that one out of every three sites he’s gained access to store user data in plain text databases. “Server owners can use third-party sites for authentications, like Facebook, Google, OpenID or OAuth.” he said. “Why the [redacted] would they want user passwords? I don’t understand that.”
For websites, the hacker recommends using hashes with salt or PCI DSS to protect user data. He said that message-digest algorithm-5 (MD5) is an inadequate solution. As a case in point, check out this post we saw today on Slashdot. “If you’re storing it in MD5, it’s nothing… It’s no problem to use a GPU cracker, or better, a botnet of PS3s. I’ve got three at home.”
As far as users are concerned, Tom said, “Companies are putting people at risk by storing their data that way. [Users] should use their brains and generate a strong password for each site. He noted that Roboform, PassPack and KeePass are all good tools for storing and maintaining passwords.
For the time being, Tom said he plans to leave the RockYou data unpublished and allow his actions to serve as a warning to users and websites to take better care of their data and identities.