8

I came across an old (>3 years) accounts information list which has been leaked to the web. The list included thousands (>10.000) of account details from a service or services. Apparently the event was a small-scale news item back in the days, so there's not too much to do now, even if the one page I found would be removed from the web right now.

However the list included my account name and hashed password which could be easily decrypted to plain text. I haven't used the password for years anymore, but I still use a rather similar one on some websites. I also use the account name every now and then. I haven't come across anything suspicious on my accounts for what I remember.

My question is what should I do to prevent any possible upcoming harm?

I'm unsure of what should I do. I guess I should have a thought of at least these things:

  • Other accounts using the user name and/or (similar) password
  • Search-engines - is there any way to globally remove the page/pages appearing on searches?
user81980
  • 83
  • 1
  • 3
  • 9
    Post the list here so we can check our information. – Jared Burrows Jul 28 '15 at 14:15
  • 5
    I'd rather not. I'm unwilling to advertise a page showing such a sensitive information. The leak might not have never been fully exploited and some of the account details might even still be valid e.g. on a completely different website or such. – user81980 Jul 28 '15 at 19:29
  • 2
    A hash is not an encryption, so it doesn't make sense to say that a hash can be easily decrypted. Some may try to use brute force to find a password hashing to the leaked hash. How easy such a brute force attack will be depends on both the strength of the password and of the hashing algorithm being used. If the password is strong enough, then you don't need to worry about the hash having leaked. How much entropy is in your password? And which hashing algorithm was used? – kasperd Jul 28 '15 at 20:20
  • 1
    @kasperd as I already commented on one of the answers: `The hashing algorithm was poor and one of the most used, so that can be ruled out. I did the decrypting within a minute.` I have most likely been using wrong terms here and there as I don't an information security background. – user81980 Jul 28 '15 at 20:32
  • @user81980 I do not know of any widely used password hashing algorithm being weak enough to brute force a strong password within a minute. Even this traditional DES based password hash lasted a minute and a half on my computer `qjLymUSqEmocs`, and the password I tested was weak. When choosing a password assume it is only going to be protected using MD5 with no salt and no iterations. And make the password strong enough to last for years even under that assumption. – kasperd Jul 28 '15 at 20:59
  • 1
    @user81980: Re: wrong terms: "Decrypt" is from the set of terms "encrypt", "decrypt", "plaintext", "ciphertext". The "plaintext" is the message you actually want to send to your recipient (who could be your future self), but that you don't want random parties to be able to read; so you "encrypt" it, resulting in "ciphertext", which you then send, and your recipient "decrypts" it to recover the plaintext. In your case, this is the wrong set of terms, because the password was "hashed" rather than "encrypted": there was no intent for anyone to reverse the process and recover the password. – ruakh Jul 28 '15 at 23:29
  • @kasperd internet is full of sites with reverse-hash "generators". Using one of firsts appearing on search results did the job. I guess that indirectly tells you how weak the algorithm was. Now I'm probably again making presumptions about the terms I'm using, but that's how the hash became plain text. I never mentioned I would've done that manually aka using brute force, nor did I say that the password hashing algorithm would've been a good one. After all the whole list leaked, so the information security mustn't have been on a great level. – user81980 Jul 29 '15 at 05:24
  • 1
    @user81980 That doesn't tell you much about the strength of the hashing algorithm. What that tells you is that the password is weak. Don't blame the hashing algorithm for you choosing a weak password in the first place. – kasperd Jul 29 '15 at 05:44

3 Answers3

25

First of all, you should make sure that you don't use that password, or a derivative, anywhere that you care about. This is most important if you use the same username or email address, but still something that you should do for completely unrelated accounts. If a password is crackable, it may have been incorporated into wordlists already. And even if not, hey - it was crackable in the first place!

Second, it seems prudent to go over the rest of the account information in that dump, and see if there's anything that you consider sensitive or private. What you do if you find such information will depend on circumstance, but I don't see why you should stop at just checking the password.

As for trying to get that information removed from the web? You could try, but it's really, really hard to purge information once it's been posted. Especially since password dumps are likely to be shared on all sorts of places which don't respect polite requests. If your password is the most important thing in the dump, I'd just assume that the password is compromised, and instead focus on limiting the damage that can be done.

Soron
  • 2,809
  • 1
  • 12
  • 19
  • Accepted as this answer provided some thoughts I didn't consider already and answered instructively the rest. Wish I could +1 too! – user81980 Jul 28 '15 at 09:00
6

Once something is posted in internet it is virtually impossible to remove it completely, even if the original link is removed there are just too many spiders storing content, one example is the wayback machine. Even facebook admits to not always deleting content (check "What happens to content that I delete from Facebook?") even when you mark it as deleted it.

That your hashed password can be "easily decrypted to plain text" is not completely accurate, it depends on the hashing algorithm and how patient an attacker is, since they dont know the mask of your password I would guess its not worth their time. I posted about password cracking here.

I wouldn't think of even bothering with trying to remove anything from internet, you may -with a lot of luck- get it removed from google/bing/any-major-SE, but look at a by-no-means-complete list of search engines in wikipedia, any of them may have a copy of the item you want to remove. Then, don't forget about the unlisted search engines, the ones that offer less-than-legal services and who would just laugh at your request (think in terms of ThePirateBay).

If I were you, I would just change my passwords for something new and unassociated with the previous password, as far as I can see that is the safest step to take at this point.

Purefan
  • 3,560
  • 19
  • 26
  • 2
    The hashing algorithm was poor and one of the most used, so that can be ruled out. I did the decrypting within a minute. Thanks for the links though, gives an insight of how permanent data is. – user81980 Jul 28 '15 at 07:55
2

Search-engines - is there any way to globally remove the page/pages appearing on searches?

Depending on the search engines on which your data appears, the only way to get rid of your old information is to contact them directly. For example this is where and how to contact Google Search Engine to remove your old images, cached pages and so on.

Other accounts using the user name and/or (similar) password

Depending on whether you are Gmail, Yahoo Mail, other messaging services and social networks, each one of them offers a way to change your password (and most often your username), so do that even if you have not been in this situation as this post outlines: How does changing your password every 90 days increase security? and by following the rules highlighted here XKCD #936: Short complex password, or long dictionary passphrase?

Community
  • 1
  • That google link is for webmasters and only applies to removing searches linked to pages on servers you operate. There are some new privacy features that MIGHT allow you to cause a search for your specific account name to not bring back a page you identify as one of the offending results but if somebody searches generically for "account password list" it would NOT filter out your results so it's an exercise in futility – nvuono Jul 28 '15 at 16:20