Why did someone leak millions of Yandex and Mail.Ru email passwords, most of them inactive? Images mixed by Tetyana Lokot.
Russia's largest email services, Yandex and Mail.Ru, were both hit with password leaks recently, resulting in millions of passwords published openly online and heated discussions in Russian web communities. The companies claimed the passwords were obtained through phishing scams on the users’ end rather than hacking attacks on their servers.
Yandex was the first to fall, when Habrahabr.ru [1], a popular tech and internet news forum, first published news [2] of the password leak. User lagudal [3] said [4] he discovered the file with 1.2 million Yandex email logins and passwords on the Infosliv [5] forum, a traditional leak dump space. Some of the other Habrahabr.ru users investigated the file and found their Yandex account information there, proving the database was at least in part real.
Such a massive password dump inevitably caused a commotion in the RuNet and invited witticisms based on Yandex's search engine slogan, “Найдётся всё” (Anything can be found), like this one from Twitter user Shulz [6]:
Яндекс. Найдётся всё. Даже пароли от ваших аккаунтов в Яндексе.
— Дядюшка Шу (@Shulz) September 8, 2014 [7]
Yandex. Anything can be found. Even your Yandex accounts’ passwords.
Editors of Zuckerberg Calling [8], a Russian website about startup and internet business news, also tested out some of the email login and password pairs and found [9] that in many cases the inboxes were real, but appeared forsaken or inactive. Even so, word quickly got around, and everyone set about to changing their passwords just in case. Helpful netizens set up a website [10] where one could check to see if their Yandex email was among those dumped in the password leak.
Habrahabr.ru [1] user Haoose decided to investigate the security and strength of the leaked passwords and published a ranked list [11] of the most used ones. As is usually the case, the combination “123456” was at the top of the list, found in the database 37,821 times, and followed by security gems “123456789” and “111111”. Average email users, it seems, never change.
Speculation was rife about a hacker attack on Yandex servers or an internal leak, when Yandex's press-service finally denied any instances of hacking or leaking. Yandex confirmed [12] that active account passwords only made up 15% of the published database, and the remaining 85% were inactive accounts, which had not responded to earlier password reset notifications sent out by the tech staff.
The active account information and passwords in the published database, Yandex said, were compromised by the users themselves, either as a result of virus attacks or phishing scams, and Yandex had launched verification procedures for these accounts. Yandex also insisted [12] they never store passwords in plaintext, and use the necessary precautions for encrypting them.
Мы не храним пароли открытым текстом, никогда не передаём их по сети открытым текстом и не открываем их любым третьим лицам. Более того, большинство из этих паролей слишком простые, и сейчас их даже установить не получилось бы.
We don’t store the passwords in cleartext (plaintext), we never transmit them on the Internet in cleartext and don’t open them up to third parties. Moreover, the majority of these passwords are too simple, and could not even be used [by our email subscribers] now.
Regardless, Yandex did reset the passwords of the 1.2 million compromised accounts, both inactive and active ones. VKontakte also suspended [13] all pages of users who used leaked Yandex emails to register, asking them to change their passwords, VK's press-secretary George Lobushkin [14] said on Twitter.
В целях безопасности заморозили все аккаунты, зарегистрированные на скомпрометированные адреса Яндекса, пока их владельцы не поменяют пароли
— George Lobushkin (@lobushkin) September 8, 2014 [15]
As a safety precaution, we've frozen all the accounts registered to the compromised Yandex addresses until their owners change their passwords.
The discussion about the Yandex “leak” had hardly died down, when another Habrahabr.ru user polym0rph [16] found a different database with 4,5 million [17] Mail.ru logins and passwords, published on the Bitcoin Security [18] forum. Mail.ru analysed the database and concluded that 95% of the leaked accounts had been flagged as compromised previously, asked to change their passwords, and were restricted from sending emails or inactive. The overall context of the “leaked” database and the seemingly huge numbers of compromised accounts seemed suspiciously like the Yandex incident, which took place only hours before.
The almost simultaneous publication of two big password databases raises questions, but the arguments of Yandex and Mail.ru in reaction to the security scare seem valid: you don’t have to be a sophisticated hacker to crack a password like “123456,” and you don't have to hack the system, just hijack a few passwords.
In spite of these convincing arguments, some experts don't believe that the users’ data leaked out entirely through a fault of their own. The amount of stolen passwords seems too large to be collected by means of viruses and fishing, Andrey Zerenkov, senior information security consultant at Semantic, told Vedomosti [19].
Zerenkov acknowledged that such a massive dataset could be gathered manually over a period of several years, which does not explain why it was leaked at this particular moment.
Разумеется, этот список мог составляться не один год и даже группой лиц, но тогда непонятен мотив появления этих данных. Обычно подобные публикации — это результат утечки, а не долгой и кропотливой работы с какой-то скрытой целью, чаще всего криминального характера.
Of course, this list could have been put together over a few years and by a group of people even, but then the motive of publishing this data is unclear. Usually such publications are a result of leaks, and not of long and arduous labor with a concealed purpose, usually of a criminal nature.
According to IT entrepreneur Anton Nossik [20], there could be several reasons for laying this data open to the public all at once. He supposes [21] one reason might be that the Russian government is trying to prime public opinion for a new Internet law. The law in question might be an initiative about storing personal data (like the well-known data servers law [22]) or a directive about a government-owned mail service.
While Nossik's conjectures are pure speculation, the Kremlin does enjoy skewing public opinion on matters of importance, and is quite good at it. Knowing how prolific Russian lawmakers have been lately on Internet-related matters, we only have to wait a little bit to find out.