- Impact
- 5,288
On September 11, @Raymond Hackney noted a leak involving around 5 million Gmail addresses. (He was in turn alerted by Carla Marshall of ReelSEO.) Normally I gather information about such issues quickly, but I didn't have time because I was working on our latest NamePros update. Now that we've gotten that released, it's time for a report!
There were various versions of the leak floating around the internet. The most complete version that I found contained about 11M entries; about 5M were from Gmail. Typically, an entry contained two items: an e-mail address and a plaintext password. Just over half of the e-mails were Russian, with a .ru ccTLD; mail.ru and yandex.ru were both common. Other popular providers like Yahoo and Hotmail were present.
It's worth noting that this leak was unusual. Normally, a leak is a database "dump": some group hacks a website or company, steals their database, and dumps its contents onto the internet for all to see. This leak was different because it wasn't a dump. Instead, it was someone's personal aggregate of all relelvant dumps they had collected over time. These individual dumps weren't from large providers, but smaller websites. So the good news is: no, Google was not hacked.
Some of the entries are completely bogus, such as admin@gmail. There are also quite a few duplicates of some e-mails, indicating that the dumps were likely from a specific genre of websites. The most common e-mail address appears 736 times--yikes! Hopefully that's not indicative of the number of successful hacks that went into this leak. Excluding outliers, repeating addresses max out at around 45. These are very generic, like abc@* and 123@*. I think it's reasonable to assume that this leak was an aggregate of no more than 50 raw dumps.
What's particular unfortunate for my analysis is that most of the data is missing. The aggregate has been stripped down to only include e-mails and passwords, though there are a few mistakes--no usernames and nothing that could indicate the original source of the information. It's also quite likely that a large number of entries were excluded.
It's unlikely that this was meant to correlate with September 11, since it was released at least one day prior, was intended for a Russian-speaking audience, and contains a majority of Russian e-mails.
While I have not tested the e-mail/password combinations myself for obvious reasons, more daring individuals report that about 40% of the unique, realistic entries can be used to log into the corresponding e-mail provider's website. This is particularly unfortunate because it means at least 40% of people use the same password nearly everywhere and probably haven't changed their passwords in a long time. To make matters worse, these people likely frequented sites oriented toward hacking and other (anti-)security activities, so they should have known better. It's a sad day for information security everywhere.
Is my e-mail on the list?
If your e-mail uses your own domain name rather than that of a large e-mail provider, then it's probably not in the public leak. That's not to say there doesn't exist a leak with your information: it's just not in this particular public leak, which seems to have been heavily filtered.
There are websites floating around that offer the ability to check whether an e-mail is in the leak, but I'm not sure how complete their databases are. isleaked.com seems to have the same data as me. Alternatively, you can PM me your e-mail, and I'll check to see if it's in the leak that I have.
Small websites--especially those that are controversial--tend to be the target of most of these attacks. Such websites tend to overlook security, or lack the necessary expertise. Usually they have no idea that their services are insecure and will never realize that they've been hacked. However, larger service providers are still targeted from time to time; similarly, they rarely notice, or rarely publicize the event. Your best option is to use a randomly generated password for each website and store them in a safe, secure place. Popular online password managers have been hacked in the past, but there's risk involved with any approach. I'm a fan of Clipperz, which encrypts and decrypts all information in the browser, not on the server.
Technical and Statistical Details
The aggregate was improperly assembled and contained text of at least two character encodings. This made it difficult to process. I went with CP866, a popular 8-bit encoding in Russia; it matched the majority of the text. Unfortunately some UTF-8 entries containing what were likely Chinese characters were mangled.
Top e-mail hosts:
Top e-mail users:
Top passwords:
There were various versions of the leak floating around the internet. The most complete version that I found contained about 11M entries; about 5M were from Gmail. Typically, an entry contained two items: an e-mail address and a plaintext password. Just over half of the e-mails were Russian, with a .ru ccTLD; mail.ru and yandex.ru were both common. Other popular providers like Yahoo and Hotmail were present.
It's worth noting that this leak was unusual. Normally, a leak is a database "dump": some group hacks a website or company, steals their database, and dumps its contents onto the internet for all to see. This leak was different because it wasn't a dump. Instead, it was someone's personal aggregate of all relelvant dumps they had collected over time. These individual dumps weren't from large providers, but smaller websites. So the good news is: no, Google was not hacked.
Some of the entries are completely bogus, such as admin@gmail. There are also quite a few duplicates of some e-mails, indicating that the dumps were likely from a specific genre of websites. The most common e-mail address appears 736 times--yikes! Hopefully that's not indicative of the number of successful hacks that went into this leak. Excluding outliers, repeating addresses max out at around 45. These are very generic, like abc@* and 123@*. I think it's reasonable to assume that this leak was an aggregate of no more than 50 raw dumps.
What's particular unfortunate for my analysis is that most of the data is missing. The aggregate has been stripped down to only include e-mails and passwords, though there are a few mistakes--no usernames and nothing that could indicate the original source of the information. It's also quite likely that a large number of entries were excluded.
It's unlikely that this was meant to correlate with September 11, since it was released at least one day prior, was intended for a Russian-speaking audience, and contains a majority of Russian e-mails.
While I have not tested the e-mail/password combinations myself for obvious reasons, more daring individuals report that about 40% of the unique, realistic entries can be used to log into the corresponding e-mail provider's website. This is particularly unfortunate because it means at least 40% of people use the same password nearly everywhere and probably haven't changed their passwords in a long time. To make matters worse, these people likely frequented sites oriented toward hacking and other (anti-)security activities, so they should have known better. It's a sad day for information security everywhere.
Is my e-mail on the list?
If your e-mail uses your own domain name rather than that of a large e-mail provider, then it's probably not in the public leak. That's not to say there doesn't exist a leak with your information: it's just not in this particular public leak, which seems to have been heavily filtered.
There are websites floating around that offer the ability to check whether an e-mail is in the leak, but I'm not sure how complete their databases are. isleaked.com seems to have the same data as me. Alternatively, you can PM me your e-mail, and I'll check to see if it's in the leak that I have.
Small websites--especially those that are controversial--tend to be the target of most of these attacks. Such websites tend to overlook security, or lack the necessary expertise. Usually they have no idea that their services are insecure and will never realize that they've been hacked. However, larger service providers are still targeted from time to time; similarly, they rarely notice, or rarely publicize the event. Your best option is to use a randomly generated password for each website and store them in a safe, secure place. Popular online password managers have been hacked in the past, but there's risk involved with any approach. I'm a fan of Clipperz, which encrypts and decrypts all information in the browser, not on the server.
Technical and Statistical Details
The aggregate was improperly assembled and contained text of at least two character encodings. This made it difficult to process. I went with CP866, a popular 8-bit encoding in Russia; it matched the majority of the text. Unfortunately some UTF-8 entries containing what were likely Chinese characters were mangled.
Top e-mail hosts:
Code:
gmail.com 4 822 499
mail.ru 3 595 813
yandex.ru 1 975 621
bk.ru 162 902
list.ru 119 264
yahoo.com 101 035
inbox.ru 97 151
hotmail.com 82 616
aol.com 45 970
rambler.ru 44 586
Missing field 2 038
Other values 80 068Top e-mail users:
Code:
0206seddr92 736
00lion 736
john 160
info 154
vale.josh 86
123 82
sales 78
barry 60
asd 58
email 54
Missing field 2 064
Other values 11 125 295Top passwords:
Code:
123456 128 165
qwerty 103 383
123456789 32 845
qwertyuiop 22 224
111111 17 783
qwe123 16 606
password 13 276
12345 11 754
1234567890 10 862
12345678 10 297
1234567 10 223
123123 8 168
123321 7 887
1qaz2wsx 7 683
qazwsx 7 486
1q2w3e4r 7 218
7777777 7 102
000000 6 708
666666 5 504
klaster 5 395
123qwe 5 327
1q2w3e4r5t 5 269
654321 5 217
zxcvbnm 4 861
qweqwe 4 718
1q2w3e 4 613
555555 4 552
qwer1234 3 918
gfhjkm 3 644
112233 3 579
1234 3 578
1234qwer 3 507
abc123 3 503
qwerty123 3 480
121212 3 433
159753 3 427
987654321 3 237
asdfgh 3 130
iloveyou 2 906
777777 2 847
samsung 2 483
2 411
zxcvbn 2 398
123654 2 362
marina 2 308
q1w2e3r4t5 2 264
asdfghjkl 2 174
222222 2 124
ghbdtn 2 032
123456a 2 029
0987654321 2 002
password1 1 961
zaq12wsx 1 925
nikita 1 837
master 1 824
Exigent 1 807
88888888 1 805
asdasd 1 792
131313 1 792
999999 1 768
159357 1 765
qazwsxedc 1 751
dragon 1 743
27653 1 722
q1w2e3r4 1 674
monkey 1 649
qweasd 1 640
qweasdzxc 1 619
1qazxsw2 1 616
11111111 1 614
12344321 1 602
123123123 1 593
333333 1 584
qwerty1 1 582
1111111 1 563
aaaaaa 1 559
tinkle 1 534
qwaszx 1 534
princess 1 519
4815162342 1 518
qazxsw 1 516
123456q 1 511
qwertyu 1 507
147258369 1 486
qwertyui 1 455
12345a 1 421
target123 1 420
1111111111 1 403
friendster 1 399
killer 1 389
fuckyou 1 386
12345qwert 1 377
sunshine 1 363
12qwaszx 1 355
trustno1 1 345
letmein 1 344
789456 1 335
12341234 1 311
q1w2e3 1 293
sergey 1 272
Missing field 8
Other values 10 508 873
