Already Hacked Hacking

After reading this news article by The Register:

http://www.theregister.co.uk/2013/02/02/twitter_breach_leaks_user_data/

I had a thought about how often this is starting to happen – often dumps are released to the public via torrents or other downloads.

See: http://www.huffingtonpost.com/2012/06/07/linkedin-password-hack-check_n_1577184.html

We’re not talking about a small number of passwords here either – that’s 6.5 million accounts, were you one of these users?

Now, to the hackers these accounts probably didn’t mean anything because they have no association with these people. But perhaps YOU know someone on this list?

More importantly maybe you know someone who was on this list perhaps?

Before I continue, if you’d like to check if your account has ever been dumped as part of a large hack – you can check here (or if you want to see if your victims/friends has had this fate): https://pwnedlist.com/

Hmm, I wonder if my friends have been hacked?

Pwned by Pwnedlist?

Moving on, it’s very possible that you or someone you know has had their password leaked in hash form (god forbid cleartext form!). If you’re like most human beings you reuse passwords all over the net and if someone took the time to crack your password hash on the dumped site then they may have a valid password for your other sites!

So this opens up a whole new level of cracking. Anyone could simple take your email and put it into Pwnedlist and check to see if it was leaked at some point. If it was it’d be just a simple derivation of what sites have had leaks compared against sites that the target uses. Chances are the password is reused in many other places across the web!

Even if your target/you haven’t been apart of a dump yet it would be trivial to write a script to check daily for this type of thing. (You can’t use their internal monitoring service because it asks you to verify emails in order to do that.)

Bam, easy (and not to technical) hacking!

Till next time,

-mandat0ry

Matthew Bryant (mandatory)

Matthew Bryant (mandatory)
Security researcher who needs to sleep more. Opinions expressed are solely my own and do not express the views or opinions of my employer.