Recently the major sites LinkedIn and eHarmony acknowledged that their password lists, but not the user names, were leaked and posted on the Internet. A third site, Last.fm, suspects they may have been compromised and are proactively resetting passwords. But what if it was a hoax? Would there be anything to gain from it?
Consider the same scenario, but where the list of hashed passwords is not from the web site being targeted. Lists of passwords from previously compromised sites are easy to obtain via a simple web search.
Once a list of hashed passwords is created, one can easily fool the media and general public into thinking the compromise is real. People who find their password in the list often will assume the password was actually leaked by the target web site. Many will find a match because they reused a password with one of the previously compromised sites. Others will find a match simply because they choose a popular password used by hundreds if not thousands of other people.
A lot of people won’t find a match, but the media will largely ignore them. In the LinkedIn scenario, only 6 million passwords out of 161 million users were leaked. That means only 4 out of every 100 people should find a match.
So our criminal has convinced the general public, and possible the target company, that there was a major leak. Now what?
Our criminal is going to do exactly the thing LinkedIn, eHarmony, and Last.fm are NOT doing: sending everyone a “Reset your Password” email. The will of coourse send the user to a fake site designed to look like the target, a classic phishing scam. Only this time the target is inadvertently helping them by admitting the leak. Of course the criminal has no idea who the real users are, but there are plenty of email lists available from the spam providers to get them started.
Had LinkedIn been using salted passwords all along, the story only changes slightly. The target company could see that the salt/password combinations don’t match the salts in their database, allowing them to deny the leak. But that doesn’t really help because people are trained to not believe companies that are denying wrong doing. Match it with a email that says something like, “To avoid a scare we are only altering the handful of people like yourself who were actually compromised” and they can still trick enough people to make it worth their effort. And unfortunately this will work despite the fact that the target site tells their customers they will never send a “Reset your Password” email.
Once they have the real usernames and passwords from the phishing site, the criminals can gather the email addresses and other information from people’s real accounts. They may even actually change the password for the target site so the user never figures out that they were scammed.
At this point there is no technology for major sites to prevent this sort of attack. Very small sites can supplement passwords with two-factor authentication such as SecurID, but that isn’t tenable for a site with millions of causal users. The only real protection is at an individual level. Users have to not reuse passwords between sites and be careful about checking URLs when re-entering that password. There are tools to help the user do this, such as LastPass and 1Password, though they introduce the own risk of having all the passwords compromised at one time.