Sophos Cloud Optix
A smallish sample of usernames and passwords allegedly stolen from services listed as PlayStation Network (PSN), Windows Live and 2K Gaming has been leaked by a trio of crackers calling themselves…
…naaaah, we’re not going to repeat their names.
We’ll just say, three crackers have dumped a text file of about 5500 lines that they say are credentials from the above services.
Usually, when crooks leak some of their haul, they’re assuming that you’ll go any try some of the accounts yourself (which would be a criminal offence in most countries, even if your motivation was honourable, so for your own sake don’t do it).
The idea is that once a few people have tried a few randomly-chosen accounts and found that they work, the story that the crooks have “plenty more where those came from” suddenly sounds more plausible.
The dump
The dumped data is in a variety of formats, but many of the entries have at least an email address and what purports to be a password to go with it.
We’re not going to publish any of the dumped credentials, but where passwords are allegedly revealed, they are all somewhere between trivial and very easy to crack, such as:
password password123 metallover easy-hack girlfriendsname Initial.Lastname n00bn00b
This suggests that the passwords (if they are real) were not recovered in plaintext form but had been hashed somehow, and only the sort of hashes that could easily be cracked made the list.
Some of the entries have what looks like a password hash as well, with a mixture of formats like this:
61b7f3e2f4f4734b950a2614864c8ad4 1f7f27de490021893e89ccd9d15b49f5316791fe cc1e3cb903d0cf1c802f95c1ee045167$8G96aa56 $1$MWY2MDk2$ZTljNTdiMTNkZDkzYWQzYz
Judging by the lengths of each of the strings, you might guess these are meant to be:
32 hex chars -> 16 binary bytes -> unsalted MD5 hash 40 hex chars -> 20 binary bytes -> unsalted SHA1 hash 32 hex chars + $ + 8 alphas -> salted MD5 hash $1$ + 8 b64s + $ + 22 b64s -> passwd-style salted MD5 hash
Seems a bit of a strange mix to me.
Real or hoax?
Are the account credentials real?
If so, were they really hacked loose from the networks claimed?
Or were they begged, borrowed or stolen from some other crook who had acquired the data via other means?
→ The presence of hashes means nothing from a forensic point of view. By publishing a hash and a matching password, you are inviting readers to infer that you stole the hash from the service provider, and then cracked the password from it. But you might have acquired the password straight from a user’s computer, e.g using keylogging malware, and simply calculated the hash directly from it. Or made the whole thing up.
Should you change your password?
The answer, I suppose, is that just in case the crooks are telling the truth, then you might as well change your password, assuming that you use one of the three services they claim they cracked.
But what if the crooks are lying?
Well, even if all the passwords in the dumped list are made up, they are nevertheless of a sort that should make you think, “That could have been cracked, because it’s just too guessable.”
So, at the least, take this as a warning to learn How To Pick a Proper Password:
→ Can’t view the video on this page? Watch directly from YouTube. Can’t hear the audio? Click on the Captions icon for closed captions.
So, must we really look for the dump ourselves?
Seriously, this stupidity of these security sites not putting the leak in the news is hilarious. It’s not gonna stop anyone reading nakedsecurity from looking for it (it takes 5 minutes, tops!). I need to verify if my password was leaked. And seriously, who cares about getting someone else’s PSN?!
If you care so little about other people’s PSN passwords (if that’s not meant to be irony), why are you so worried about your own?
The reason I generally avoid linking to so-called leaks like this is that to do just just gives “click love” where it is undeserved. Most people will not need or even want to see the list, so why should I act as the SEO arm of the crooks? Under the circumstances, which I think are clear from the article, I can’t see any clear and present benefit in pointing everyone straight at the list, rel=nofollow or not.
So if you *really* need the list (and you don’t), it is, as you say, pretty quick and easy to find. But you have to cross the bridge of wanting to look yourself.
Explained through the medium of popular music, You can’t always get what you want/You can’t always get what you want/But if you try sometimes/You just might find/You get what you need.
I agree. If your are worried about your password, just change it and job done, no worries. Isn’t it good practice to change your passwords every so often anyway?
It’s not inherently bad to change your password every so often, but be careful of forcing yourself to change yours (or promoting a policy that requires others to change theirs) on a regular basis, “just because.”
We explain why that can backfire in this Techknow podcast…
https://nakedsecurity.sophos.com/2012/03/11/busting-password-myths/
If you didn’t use Play Station, you wouldn’t have a problem!
Except that it wasn’t just limited to (Sony) Playstation, but other sites as well.
I agree, Playstation Network has a poor history of security and is hacked every year. With Sony’s billions in their coffers you would expect them to do better. That is why I use a PC for gaming. It is crazy to pay $400 for a PS4 and be stuck to a weak network when you can pay the same or a bit more and have multiple choices and peace of mind.