Data Breach

The breach notification site LeakedSource claims that social networking website MySpace has been hacked, with 360 million credentials containing 427 million encrypted passwords compromised. But LeakedSource acknowledges the age of the credentials is unknown. And the veracity of the data remains in question.

See Also: Data Center Security Study - The Results

Earlier this month, Leaked Source, which provides a search engine for hacked data and charges a fee to subscribe, also reported that 170 million credentials appear to have been compromised in the 2012 breach of social networking site LinkedIn.

"LeakedSource has obtained and added a copy of this data to its ever-growing searchable repository of leaked data," the company says in a blog about the apparent MySpace leak. "This database was provided to us by a user who goes by the alias This email address is being protected from spambots. You need JavaScript enabled to view it., and has given us permission to name them in this blog."

Each leaked credential "may contain an email address, a username, one password and in some cases a second password," LeakSource says. Passwords were hashed with the SHA1 algorithm with no salting, the company notes.

Regarding how far back the hacked information might date, LeakedSource tells Information Security Media Group via Twitter, "We don't have any clue; nothing in the data suggests a date."

MySpace did not immediately respond to an ISMG request for comment.

The same hacker who was selling LinkedIn credentials has claimed to have gained access to the MySpace credentials, the website Motherboard reports. Neither the hacker nor LeakedSource provided a sample of the hacked MySpace data for verification of its authenticity, Motherboard reports.

A Record-Breaking Breach?

The breach, if confirmed, could be a record-breaker.

"If it turns out to be legitimate, this would certainly be one of largest - if not the largest - breaches of credentials we've seen to date," Troy Hunt, who runs the free "Have I Been Pwned?" service, which alerts users when their registered email addresses appear in public data dumps - tells ISMG.

"The significance of a breach like this is always twofold: access to the accounts on the site via leaked credentials and access to other accounts via credential reuse."

LinkedIn Hack

In the wake of the LinkedIn breach, on May 18, LinkedIn CISO Cory Scott said the company will invalidate all passwords that haven't been changed since 2012. "We have begun to invalidate passwords for all accounts created prior to the 2012 breach that haven't updated their password since that breach," he said. "We will be letting individual members know if they need to reset their password."

LinkedIn said it's also begun legal action to attempt to get the password dump taken down, although by some accounts the data was stolen by a Russian cybercriminal, meaning legal moves will probably have no effect. "We have demanded that parties cease making stolen password data available and will evaluate potential legal action if they fail to comply," Scott said. "In the meantime, we are using automated tools to attempt to identify and block any suspicious activity that might occur on affected accounts."

While the report by LeakedSource of the MySpace hack comes just weeks after the LinkedIn breach revelation, "I don't think social media sites are any more of a target than other sites," Hunt says. "It's more likely a reflection of sites with large volumes of users being a high target. We've seen a spate of dating site hacks recently too."

As for who might be behind the latest hack attack, Hunt says: "It's always hard to attribute malicious activity like this purely based on what we see in the breach data. This attack looks to be quite old too due to the relatively small portion of Gmail accounts, although that could also be representative of the fact that the MySpace heyday has well and truly passed."

Many Questions

Cameron Camp, a security researcher at ESET, a security services firm, questions the veracity of the leaked MySpace data. "I looked at their list, and the top supposedly hacked password is "homelesspa" with a purported 855,478 examples. I find that hard to believe. The rest of the top ten are more frequently found on the big lists of common passwords, but they still don't map to what you'd expect, in terms of frequency/distributions that are typical on big breaches.

"Also, due to some accounts having two passwords, there are 427.4 million passwords for only 360 million users. Which begs the question, why were they keeping a list of multiple passwords per account?"

Social media site are big targets because they offer a wealth of information scammers can use for ID theft for resale or future exploits, Camp says. "Combine that with the staggering amount of information people either share directly or that can be inferred - like family, physical location, etc., and it becomes a goldmine for scammers."

(Watch for updates on this developing story.)

Troy Hunt's free breach-notification service, Have I Been Pwned?, logs tens of thousands of visits per day, particularly if there's been a major data breach making news headlines. His service enables people to discover if their email address - and by extension access credentials - have been compromised via breaches small and large, including leaks involving Adobe Systems (152 million credentials exposed), the Ashley Madison extramarital dating site (31 million credentials) and most recently, LinkedIn (164 million credentials).

See Also: 2016 State of Threat Intelligence Study

But running such a service is not without its complications. For starters, there's a delicate balance to strike between informing the public and not divulging so much information that it could jeopardize people's privacy, says Hunt, who was scheduled to speak at the AusCERT computer security conference near Brisbane, Australia, on May 27.

Hunt launched Have I Been Pwned? in late 2013 as a resource for the public and organizations, but he's also a regular speaker at information security conferences and workshops around the world (see Top 10 Data Breach Influencers).

Hunt sat down with Information Security Media Group on May 25 to discuss how his views on data breach disclosure have continued to evolve, as well as to share his insights into LinkedIn's ongoing breach saga.

Analysis: LinkedIn Breach

Jeremy Kirk: So, what I think is interesting is that yesterday I received a notification from Have I Been Pwned? that my LinkedIn data was in the most recent release.

Troy Hunt: Congratulations.

Kirk: Thank you very much. And I haven't received any notification from LinkedIn yet.

Hunt: It's very interesting. I've had a lot of people say that and, in fact, my email address is in the breach, but I didn't get a notification. And I've heard various theories about why that is. One theory is that they're not sending it to people who have changed their password since 2012. Now, on the one hand, you could rationalize that by saying, "Okay, well these people no longer have a risk on LinkedIn." Yet, on the other hand, you've got this situation where people reuse passwords.

And they need to know, because inevitably they've reused that password from 2012 somewhere else. The other theory I've heard is that people who didn't have a password hash against their email address in the breach, which is the case for me - I have an empty record for the password against my name - didn't receive an email. But then you've got a situation where people say, "Well, I would actually like to know if my email address has been exposed, even if it's just my email address." And there might be a question there as well about what is the obligation of LinkedIn, under management disclosure laws as well, when someone does have even just their email addressed leaked in that fashion.

Kirk: So this LinkedIn breach is strange for several reasons. We had an initial breach in 2012 of about 6.5 million credentials and then suddenly 164 million. There are questions around why did this release happen now. Do you have any theories on why this big tranche of data might have been released just in the last few weeks?

Hunt: Well, I think the first observation there is, is that this is not highly unusual. It's not unprecedented. We've seen data in Have I Been Pwned? actually, of a very similar nature. We saw things like Moneybookers and Stella, the gambling sites, which were breached in 2009 and 2010, respectively. And that data only came to light at all just last year. So now we're talking like five or six years on.

What are the reasons that it happened? Well it might be that whoever exfiltrated this data to begin with has had some catalyst which has caused them to release this, so maybe they - maybe they want to get straight and they want to cash it in. Maybe they've traded it with someone else. Maybe they had it stolen from them. We really don't know. But clearly there has been some event which has caused this data which has laid dormant for that long to suddenly be out here in the world.

Game Changer: The Ashley Madison Breach

Kirk: You've made some interesting decisions over how you handled breaches, how people can search for them. One of the most prominent ones was Ashley Madison. You decided to put some limits on how people could access information. Can you describe a little bit more of what you're thinking process was at that time?

Hunt: Yeah, so if we think back to Ashley Madison, to be honest, I had the fortuitousness of having the luxury of time, in that, in July 2015, we had a statement from the hackers, saying: "Look, we've broken in, we've stolen all their things, if they don't shut down we're going to leak the data." And that gave me an opportunity to think about well, what would I do if 30 million accounts from Ashley Madison turned up? And I thought about it for a while, and I realized that this would actually be really sensitive data. And then I wrote a blog post after the announcement but before the data was public, and said look, if this data does turn up, I want it to be searchable in Have I Been Pwned?, but I don't want it to be searchable by the people who don't have a client address.

So what I did then was I made sure that I had the mechanism in place, such that if that data hit, you could go and subscribe to the notification system and then search once you verified your email address. So you've got to receive an email at the address you're looking for. You can't go and check your husband's account or your employee's account or your parent's account or anything like that.

Kirk: Now with some of the other data that's been leaked, you can do that, right? Through the API?

Hunt: Yeah, correct. And this is sort of a thing I still give a great deal of thought to, because, effectively, I'm making judgment decisions on what should be publicly searched and what shouldn't. And often I'll get people say, "well, you know, shouldn't everything not be publicly searchable?" Because as it stands at the moment, you can go and publicly search for if someone has, say, a LinkedIn account. Now LinkedIn's probably a good example of one end of the opposite extreme to what Ashley Madison is. And there, I'm sort of trying to say on the one hand, I want this information to be discoverable by people in the easiest possible way.

Inside the VTech Incident

Kirk: You made another interesting decision with the VTech breach, which was the Hong Kong toymaker that saw identities of children who had registered for their services released.

Hunt: With VTech, this was a little bit unique in that we had someone hack into VTech, suck out 4 million-plus parents' data, hundreds of thousands of kids' data. The [hackers] decided they should do this in order to help VTech understand they had a security vulnerability. So rather than contacting VTech, they thought we'll just illegally exfiltrate huge amounts of data and then we'll send it to a reporter, which is just unfathomably ignorant. But anyway they did that. They sent it to the reporter. The reporter then gave it to me to verify so that they could swirl a story out of it. And I subsequently put it in Have I Been Pwned?.

The one thing that everybody wanted is to be sure that this data was never going to go any further. And, from my perspective, really, it just didn't make a lot of sense to me to have it anymore. You know, there was no more ongoing value, particularly when VTech assured me that everybody in there had been individually contacted.

Kirk: So, it seems like every time you encounter a breach, there are these nuances that challenge whether you should put the data into Have I Been Pwned?.

Hunt: There are always nuances, right. And every single incident including this LinkedIn one will make me stop and think "Is this the right thing to do?" So LinkedIn made me stop and think for multiple reasons, and one of them is just purely mechanical. There were about 164 million unique email addresses. It's not easy loading that into the data structure that I have.

The Future of Passwords

Kirk: A final question for you. Do you think we're going to be using passwords in 2026 - or even in 2036?

Hunt: Now that's exactly the question people were asking 10 years ago. "Are we still going to be using passwords in 2016?" What do you think? Yes. I think it will continue to evolve. We look at it today, and we're using a lot more social log-ins. So we still have passwords, but we will have less of them, and there are services that are meant to protect them. We have further ways of verification as well. We have noticed that verification now, on many different services, including LinkedIn. That is sort of heading us in the right direction. We have biometrics that we can use more extensively.

Fraud , Messaging , Technology

The business of executive email hacking is booming. Wedging themselves deeply inside company email systems, fraudsters are stealing hundreds of millions of dollars by impersonating key personnel and initiating large wire transfers.

See Also: Rethinking Endpoint Security

The FBI said in August 2015 that the scam, known as business email compromise, had cost organizations $1 billion worldwide. But in April, the agency raised its estimate, saying at least $2.3 billion had been lost. And those are only the incidents that have been reported.

"We don't really know how big a problem it is," says Donald McCarthy, vice president of operations with myNetWatchman, who gave a presentation at the AusCERT computer security conference near Brisbane, Australia, on May 26.

Lucrative and Simple Schemes

The losses are causing turmoil. On May 25, Austrian aerospace manufacturer FACC fired CEO Walter Stephan after the company lost $47 million in a wire fraud scam, Reuters reported. The attackers posed as Stephan in an email.

McCarthy has studied the schemes extensively. They're highly lucrative and devilishly simple. The attackers, many of whom are based in West African countries, use login credentials gained through phishing schemes to gain control of company email accounts.

Once inside, the fraudsters extensively study the company's processes and how employees communicate with one another, particularly around financial transactions. The attackers are patient, taking time to understand the relationships between key people in a company and learn how to mimic the right tone in communications so that a deception won't be detected.

When the time is right, a fake invoice or request is sent from a real employee's email account for a wire transfer.

"By the time the money is sent, it's very hard to claw back," McCarthy said.

TMI?

Part of the problem is that companies have made themselves easy targets by publicly revealing too much information about their employees, he says.

"Companies love to put their executives out there front and center on their blogs," says McCarthy. "That really gives the attackers everyone they would need to know. They understand the relationships with stakeholders."

What has made companies as well as high net worth individuals vulnerable is that much of their critical financial communication takes place over email. If attackers have control of email accounts, no security product is capable of coming to the rescue.

The attacks essentially achieve "the effect of Eastern European malware without the malware," McCarthy says.

Even if a company suspects that email accounts have been compromised, it's often too late. Typically, the hackers set up new rules in a victim's email account that send copies of messages to their own accounts and then immediately delete those messages. Even if an employee changes their password, the fraudster still has access to communications.

"It's a great persistence mechanism," he says.

Not a Technology Problem

The problem of business email compromise is not really a technological one. The scams often rely on exploiting poor controls around how funds are approved for transfers, McCarthy says.

"It's a business process," he says. "If you structure your business process to counter this threat and you structure it well, it's going to survive more than this threat. That just costs you time."

For example, any request to transfer money should not solely rely on email, he says. Organizations should have another way to validate and authenticate payment requests, he explains, "whether it's picking up the phone or whether it's go down the hall to that CFO and validate the transaction. I know that the CFO is busy, and people are afraid to approach him, but I've seen it time and time again where that CFO was happy to delegate the 32 seconds that it took to either authorize or not authorize a transaction that potentially saved the company a half million dollars."

Anti-Fraud , Anti-Malware , Anti-Money Laundering (AML)

A fourth case has come to light involving hackers using malware to infiltrate bank systems and inject fraudulent money-transfer requests into the SWIFT interbank messaging network.

See Also: 2016 State of Threat Intelligence Study

Authorities in Bangladesh have reopened a cold case involving state-owned Sonali Bank - the country's largest commercial bank - which suffered the theft of $250,000 in 2013, an unnamed senior law enforcement official tells Reuters. The case is being re-examined following the $81 million theft from the central bank of Bangladesh in February.

After that attack was publicly revealed in March, two other, similar attacks also came to light (see SWIFT Warns Banks: Coordinated Malware Attacks Underway ). In early 2015, Ecuador's Banco del Austro lost $12 million to attackers. In late 2015, meanwhile, Vietnam's Tien Phong Bank blocked an attempt to steal more than $1 million. Both of those attacks were first publicly disclosed only this month.

But an even earlier attack has come to light, involving Sonali Bank. An unnamed senior IT official at the bank tells Reuters that in 2013, attackers infected bank systems with a keylogger, stole passwords, used those to move laterally through the bank's network and then issued an unspecified number of fraudulent SWIFT transfer requests, resulting in the theft of $250,000.

Sonali Bank didn't immediately respond to a request for comment on that report, which says the money was initially moved to an unnamed bank in Turkey.

But the managing director of Sonali Bank, Pradip Kumar Dutta, tells Reuters that the bank has yet to recover the funds, and that its attackers remain at large.

"We could not find out what happened," he says.

Bangladesh's Anti Corruption Commission investigated the 2013 hack attack. Officials there couldn't be immediately reached for comment.

Meanwhile, cybersecurity firm FireEye, which was hired by Bangladesh Bank to investigate its hack attack, has been contacted by up to a dozen more banks in Southeast Asia who suspect that hackers may have also breached their networks, Bloomberg reports, citing an unidentified source. Banks in the Philippines and New Zealand - but none in Western Europe or the United States - are among the firms that have reportedly sought assistance, though it's not clear whether any funds had been stolen. A FireEye spokesman declined to comment on that report.

Are All Four Cases Related?

In all four known cases, the attacks were perpetrated by issuing fraudulent transfer requests via the messaging network maintained by Brussels-based SWIFT, which stands for the Society for Worldwide Interbank Financial Telecommunication. The cooperative, which is owned by 3,000 banks, maintains a "secure financial messaging service" used by more than 11,000 banks around the world, which handles communications related to billions of dollars' worth of transfers daily. But following the hack attack and fraudulent SWIFT transfer reports, some officials and security experts have criticized the cooperative for not doing more to help secure its customers.

A SWIFT spokesman didn't immediately respond to a request for comment on the Sonali Bank case - about which it reportedly learned in 2013 - or whether the three other SWIFT-using bank heists are connected.

Attackers Moved Money

Most of the fraudulent SWIFT heists have involved moving money between a number of banks, sometimes also including money exchange services. In the case of Bangladesh Bank, attackers attempted to steal $1 billion before successfully moving $100 million, only some of which has been recovered, which still makes it one of the biggest bank heists in history. A related investigation is being spearheaded by the FBI and authorities in Bangladesh. Investigators say that in that attack, the money was routed through multiple banks, before being laundered via casinos in the Philippines.

In the $12 million Ecuadorian heist, court documents show that $9 million of the money stolen from BDA was moved through a web of companies based in Hong Kong, while $3 million was routed to Dubai and elsewhere, Reuters reports.

It adds that court documents submitted by BDA to Hong Kong's Court of First Instance, seeking recovery of the stolen funds, allege that some companies in the territory were "unjustly enriched."

SWIFT's Image Takes a Hit

In the wake of the bank hack reports, SWIFT's image has suffered, even as the cooperative has continued to assert that its network and software remain secure and questioned victims' information security practices (see SWIFT to Banks: Get Your Security Act Together).

Officials in multiple countries have been querying banks how they plan to better secure their use of SWIFT, and asking SWIFT how it plans to help (see Banks, Regulators React to SWIFT Hack). Notably, the Bank of England in April asked all British banks to detail how they have been responding to the Bangladesh Bank hack, and some legislators in the United States are calling for U.S. regulators to follow suit.

This week, Gottfried Leibbrandt, CEO of SWIFT, said that his organization would help banks to better share threat-related information and spot related fraud, and promised that SWIFT would soon issue more comprehensive security guidance to customers.

"Back before mainframes, ATMs, mobile banking and PCs, it was all about men and guns," Leibbrandt said in a May 24 speech in Brussels. "Now it is about men and hoodies hunkering over keyboards. And as we continue to connect everything to everything, things will get ever more challenging."

But he said that SWIFT alone won't be able to secure banks. "This will only work if the industry works together," he said. "SWIFT is not all-powerful, we are not a regulator, and we are not a policeman; success here depends on all the stakeholders in and around the industry. The security of our network remains our key priority; the security of their own environments has to remain - and, for some, become - banks' priority."

May 26: This story has been updated to reference the Bloomberg report.