Syrian Electronic Army hacks Forbes, spills 1M user records - here's what you need to know

Filed Under: Data loss, Featured, Privacy

The hacking crew SEA - short for Syrian Electronic Army - infamously tried and failed to make off with Facebook's website last week.

That wasn't an attempt to break into Facebook's empire, but rather an attempt to relocate it by tricking one of Facebook's service providers into diverting Facebook's web traffic to imposter servers.

Fortunately for Facebook - and, no doubt, fortunately for the sales guys working the Facebook account at the service provider! - the attack did not succeed.

But the SEA got a lot further this week with business news site Forbes, breaking into the company's network, and posting "proof that we were there" screenshots, snapped from one of Forbes's WordPress systems: hacked by the Syrian Electronic Army #SEA.

It turns out that the SEA didn't just get to look around - the hackers were able to steal a massive user database containing more than 1,000,0000 records.

→ The file ultimately released by the SEA contained 1,057,819 unique usernames. Most reports give a number of 1,071,963, which is also correct, being the number of lines in the file.

The story gets an intriguing kink at this point.

The SEA first announced its intention to sell the file:

#Forbes users table(1,071,963 user-email-password) was dumped successfully, Anyone want to buy it?

Strictly speaking, the file didn't actually contain passwords, but only scrambled representations of them (about which more in a moment), something that may have made the data less valuable to any potential purchaser.

At any rate, the SEA then quipped:

No, We are going to publish it for free really. #SEA

This was followed up with:

We will publish the database as soon as we find a secure host to upload the database on it. #SEA

If "secure" sounds like a curious word for a server on which you plan to offer openly to the public a bunch of data that is supposed to be private, don't forget that the Holy Trinity of computer security embraces not just confidentiality, but also integrity and availability.

To data dumpers like the SEA, "availability" means that it should be difficult for anyone else on the internet to block access to the data that's being leaked, in order to maximise exposure.

Shortly after that, the dump found a home where anyone who wanted could grab a copy:

@Forbes users table dump:TXT version: http://[redacted]/forbes-wp_users.txt Compressed: http://[redacted]/ #SEA

What was stolen

The records in the data dump look like this (data has been deliberately altered):

Each record seems to have the following fields:

 1 = Numeric ID
 2 = Username
 3 = Stored password data
 4 = Display name
 5 = Email address
 6 = Website or other URI
 7 = Timestamp (one-second granularity)
 8 = Unknown
 9 = "0"
10 = Full name
11 = "0"
12 = "0" 

The eighth field is intriguing, as it is almost always missing, except in about 1% of the records.

When it appears, it is either a 32-character hexdecimal value (data has been deliberately altered):


Or a 20-character encoded string using a larger character set:


We can't tell you what that data is for (if you know, or wish to speculate, please tell us in the comments!), but as the field is blank 99% of the time, we'll focus on the golden nugget in each record.

The trophy data

The trophy data that could get the crooks into your account, or into other accounts if you have re-used passwords, is field three, the stored password data:


But how is the password data stored?

When Forbes announced its breach, it published the following statement on Facebook:

Security message: was targeted in a digital attack and our publishing platform was compromised. Users' email addresses may have been exposed. The passwords were encrypted, but as a precaution, we strongly encourage Forbes readers and contributors to change their passwords on our system, and encourage them to change them on other websites if they use the same password elsewhere. We have notified law enforcement. We take this matter very seriously and apologize to the members of our community for this breach.

If you remember, we took Adobe to task, when it was breached last year, for saying that its passwords were "encrypted" when we assumed it meant "salted and hashed."

It turned out that Adobe's passwords were encrypted, all with the same key, and using the wrong sort of encryption mode (Electronic Code Book, which doesn't disguise repetitions such as two users with the same password).

But this time, we can happily take Forbes to task, as the passwords were salted and hashed, not encrypted.

It's a pity Forbes didn't say so, and give explicit detail on how the salting-and-hashing had been done.

That would have given a useful indication of how likely it is that password crackers will be able to recover individual passwords by simply trying over and over until they hit the jackpot.

That sort of attack is called a dictionary attack (when you use a giant list of likely passwords, e.g. a dictionary), or a brute force attack (when you use an algorithm to generate passwords following a pattern such as AAAAA to ZZZZZ).

How the passwords were hashed

Fortunately, we can tell you - and, of course, Forbes, who didn't seem to know when it issued its breach notification - how the passwords are stored.

They use what's called PHPass Portable format, and each stored password field is deconstructed as follows:

The $P$ denotes the PHPass Portable format, which uses a variable number of iterations, a 6-byte random salt, and the MD5 hash function.

B stands for 13, and means that the passwords use a loop of 213, or 8192, iterations of the MD5 hash in order to stretch out the computation time to slow down brute force attacks.

The next 8 bytes are a 64-bit encoding of the 6 random salt bytes.

The last 22 bytes are a 64-bit encoding of the final 16-byte output from the iterated hash function, which runs like this in pseudocode:

salt = six_random_bytes()
hash = MD5(salt + password)
for i = 1 to 8192 do
   hash = MD5(hash + password)
data = "$P$" + "B" + encode64(salt) + encode64(hash)

The encode64() algorithm is similar, but not exactly the same as, base64: each three bytes of input (3 x 8 bits) are transcoded into four bytes of output (4 x 6 bits).

Since six bits can produce 64 distinct values (26), each value can be represented by a single plainly-printable ASCII character: PHPass uses dot, slash, 0-9, A-Z and a-z.

Can the passwords be cracked?

You can "work backwards" from the Forbes datatbase to recover the passwords, but you need a lot of computing power, or time, or both.

Strictly, of course, you don't work backwards, because hashes are deliberately designed to be non-reversible.

Instead, for each record, you extract the salt, and then plug the salt, combined with every password from a long list, into the algorithm above.

If at any point you get a match, then the password you just tried is the one that the user chose, and you have cracked that user's account.

The large number of iterations here - 8193 invocations of the MD5() hash function for every password attempt for every user- is good, since it makes this attack 8000 times slower than checking a simple password hash.

And the salt means that even if two users choose the same password, the two final hashes end up completely different, so each user's password has to be cracked separately: you can't use a precomputed password-to-hash table.

→ That's why [at the time of writing, 2014-02-16T00:20Z] you probably haven't yet seen any extensive lists analysing the passwords in this breach, which you almost certainly would have if a simpler hashing system had been used.

How well did users choose?

Despite the fact that well-chosen passwords are hard to crack here due to the 8193 iterations needed to test each password against each user, we can tell you that plenty of users in the list have made poor password choices.

It took about an hour, using one core of a vanilla laptop, to crack close to one-quarter of the passwords of the 500 or so Forbes employees in the database.

We somehow felt it was fairer to start with the addresses, since it was Forbes that was breached.

Amongst other obvious choices, there was one password, one sunshine, three with changeme (why didn't you!), and fifteen with welcome1.

Astonshingly, 73 Forbes staffers (more than one-eighth of the list) had chosen a password consisting of their company's name, forbes, followed by zero to four digits. 1 and 123 were the most common suffixes.

One chap had gamely tried "elite" spelling, where you swap Os for zeros, Es for threes, and so on.

Warning: that's not good enough - password cracking software knows perfectly well that f0rb3s is just another way of spelling forbes.

What to do?

  • If you are a Forbes user, change your password now. (Or delete your account.)
  • If you have used the same password on other accounts, change them now and DON'T DO THAT AGAIN.
  • Choose a complex password so the crooks will crack other people's passwords first.
  • Read our article Serious Security - How to store your users' passwords safely.

Forbes did the wrong thing by getting breached in the first place, and by letting the SEA make off with its password database.

And while the the 8193-iteration MD5-based hashing system described is a little short of modern best practice (try a stronger hash that takes longer to calculate, with more iterations), it's better than Adobe's disastrous "one key to encrypt them all" system.

So there's your silver lining.

, , , , ,

You might like

9 Responses to Syrian Electronic Army hacks Forbes, spills 1M user records - here's what you need to know

  1. Stephen H · 160 days ago

    Why am I not surprised that Forbes is not posting a warning front and centre on their home page?

  2. Nate · 160 days ago

    #8 My guess is that this is a reset password token, used to when a user requests a password reset.

    They generate this token, send the user a link with the token as a parameter, and the then delete the token after the password has been changed.

    Some users may currently be trying to reset their passwords, or a password request has been made but never finished.

    • Paul Ducklin · 160 days ago

      Hmmm. Good thinking. Could be an account creation token (as well or instead)...though I'd guess that the percentage of uncompleted account creation confirmations would be higher than 1%, for reasons I realise are 100% guesswork :-)

  3. It appears to be a user creation token (user_activation_key to be exact). They're using WordPress, and the tables are documented.

    • Paul Ducklin · 158 days ago

      Ha! Don't know how I missed that. Thanks!

      Seems like my reply to @Nate's guess was close to the mark...if that field is the same as the text string in the "confirm your account email" of someone who never did click confirm...perhaps we can find someone who never confirmed, is in the leaked data, but never deleted the opt-in email :-(

  4. Anonymous · 159 days ago

    Interesting... according to my password manager, I have a Forbes account. I've been trying to login to delete that account , but all the site does is hiccup out some type of message that's onscreen too briefly to read. Perhaps the site is experiencing indigestion.

  5. #8 - Could it be accounts that authenticate with Facebook or Twitter?

  6. Anonymous · 158 days ago

    Mil gracias

  7. Victor L-S · 158 days ago

    Do we know the creation time of each entry? Could #8 be a field implemented during development but now unused? Alternately, but unlikely, a field just added for some current feature.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog