Anatomy of a Breach

Anatomy of a Breach: The Credential Dump Summer — Last.fm, eHarmony, and Yahoo Voices

> series: anatomy_of_a_breach —— part: 043 —— pattern: credential_dump_summer —— accounts_exposed: 45,000,000+ —— theme: broken_password_storage<span class="cursor-blink">_</span>_

Hedgehog Security 31 July 2012 12 min read
data-breach lastfm eharmony yahoo formspring credentials password-storage series
Breach #043

One summer. Four breaches. 45 million credentials.

In the weeks following the LinkedIn breach, a cascade of credential dumps hit the internet. Last.fm (43 million accounts with unsalted MD5 hashes), eHarmony (1.5 million unsalted MD5 hashes), Yahoo Voices (453,000 usernames and passwords stored in plaintext), and Formspring (420,000 salted SHA-256 hashes) all disclosed breaches within weeks of each other. Together with LinkedIn's 117 million, the summer of 2012 exposed over 160 million credentials — establishing credential theft as the dominant data breach category and credential stuffing as the dominant attack methodology for the rest of the decade.

The theme across all four breaches was identical: inadequate password storage. Last.fm used unsalted MD5. eHarmony used unsalted MD5. Yahoo Voices stored passwords in plaintext — not hashed at all. Only Formspring used salted hashes, which provided meaningful protection. The credential dump summer proved that the lessons of Gawker (2010), Sony Pictures (2011), and HBGary (2011) had not been learned — and that the internet's credential infrastructure was systemically broken.

The Pattern
Recommended

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call

Every breach had the same root cause.

Service Accounts Password Storage Time to Crack
LinkedIn 117 million Unsalted SHA-1 Minutes for common passwords
Last.fm 43 million Unsalted MD5 Seconds with rainbow tables
eHarmony 1.5 million Unsalted MD5 Seconds with rainbow tables
Yahoo Voices 453,000 Plaintext — no hashing Instant — passwords readable as-is
Formspring 420,000 Salted SHA-256 Hours to days — salt prevented rainbow tables
The Consequence

Credential stuffing becomes the dominant attack.

The credential dump summer created an enormous pool of verified email-password combinations that attackers used for credential-stuffing attacks against corporate systems, banking platforms, and cloud services for years afterwards. The lesson is simple: if your users reuse passwords (and most do), then a breach at any service they use is effectively a breach of your service too — unless you have deployed multi-factor authentication.

MFA — now a Cyber Essentials Danzell auto-fail criterion — is the only reliable defence against credential stuffing. Dark web monitoring through SOC in a Box alerts you when your users' credentials appear in breach datasets. Our web application testing verifies password storage security and MFA implementation. And UK Cyber Defence provides incident response when credential compromise leads to account takeover.

Credential Security

160 million credentials were exposed in one summer. How many were your users'?

<a href="https://www.socinabox.co.uk">SOC in a Box</a> monitors for your credentials in breach databases. <a href="/cyber-essentials">Cyber Essentials</a> mandates MFA. Our <a href="/penetration-testing/web-application">application testing</a> verifies your password storage. Because if your users' LinkedIn, Last.fm, or eHarmony passwords are the same as their corporate passwords, you have been breached too.

Commission a Security Assessment Next: Saudi Aramco / Shamoon
Next Step

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call
Keep Reading

Related Articles

Anatomy of a Breach 31 December 2016

Anatomy of a Breach: 2016 Year in Review — The Year of Billions, Botnets, and Election Interference

Breach #096 and the 2016 finale. The year Yahoo disclosed not one but two mega-breaches (500 million in September, then 1 BILLION in December — later revised to all 3 billion accounts), Adult Friend Finder lost 412 million accounts, the Mirai botnet used IoT devices to take down half the internet, Russia hacked the DNC to influence a presidential election, the Shadow Brokers stole the NSA's cyber weapons, the Bangladesh Bank lost $81 million through SWIFT, and a hospital paid Bitcoin ransom to get its systems back. The year the scale of cyber threats broke through every previous ceiling.

data-breach year-in-review
14 min read
Anatomy of a Breach 30 September 2016

Anatomy of a Breach: Yahoo — 500 Million Accounts and the Breach That Nearly Killed a $4.8 Billion Acquisition

Breach #093. In September 2016, Yahoo disclosed that at least 500 million user accounts had been compromised in a state-sponsored attack that occurred in late 2014 — two years before the disclosure. The stolen data included names, email addresses, telephone numbers, dates of birth, hashed passwords, and in some cases, security questions and answers. The disclosure came while Verizon was negotiating a $4.83 billion acquisition of Yahoo — ultimately resulting in a $350 million price reduction. And the worst was yet to come: three months later, Yahoo would disclose an even larger breach.

data-breach yahoo
13 min read
Anatomy of a Breach 30 September 2013

Anatomy of a Breach: Adobe — 153 Million Accounts and the Largest Data Breach in History

Breach #057. In October 2013, Adobe disclosed that attackers had compromised approximately 2.9 million customer accounts. Within weeks, security researcher Brian Krebs revealed the true scale: 153 million accounts — making it the largest data breach ever reported at the time. The passwords were stored using 3DES encryption (not hashing) in ECB mode, which allowed researchers to crack millions of passwords through pattern analysis. Adobe also lost source code for Acrobat, ColdFusion, and other products.

data-breach adobe
14 min read
All Posts Get in Touch