This leak analysis is dedicated to Steve Gibson of Gibson Research Corporation.
Thanks for a great show Steve!
Thanks for a great show Steve!
Back in Februrary, a large gaming site called Gamigo was hacked, and in July, the full list of email and hashes found their way onto the Internet. Pwnedlist.com are the kind providers of the hashes for this analysis, and as an added bonus, they also sent me the emails for this analysis. A huge thanks goes out to Pwnedlist.com for their kindness.
The leak contains 9.475.226 valid MD5 hashes and 8.261.454 emails. It has 7.028.067 unique hashes and 8.244.423 unique emails.
In the time-frame of 7 days, 19 hours and 3 seconds, I was able to crack 7.731.708 hashes (81,6%).
Cracking SystemThe cracking was done on an ordinary GeForce 560 TI, 1024MB RAM graphics card using Hashcat-Plus v0.081 64bit. The settings of Hashcat were set to low, which resulted in only 90% cracking efficiency. Had it been optimized, the full crack would have taken 6 days and 20 hours.
Different cracking techniques such as keyboard-walking, character repetition and leet speak were used to obtain the high number of cracked passwords.
Character DistributionA healthy character distribution has equal amounts of each character type. Gamigo must have had a less than optimal password policy, as it seems that you could create passwords with whatever characters you want.
Unique Character DistributionAgain, we are reminded of the missing password policy at Gamigo. 28% of the passwords are digits only, with a good password policy, this would not have been possible.
Password CompositionWhen we take a look at the password composition, we count how many passwords contain symbols. It turns out that only 13.566 passwords that were recovered contained a symbol, and 7.718.142 that did not. This resulted in the rather boring pie chart:
Password LengthGamigo have 2 passwords with length 0 and 20 passwords with length 1. This might be passwords created during the development of the site - and they might have been the way the hackers originally hacked the site (first password check in most brute forcers is nothing).
We observe something quite unusual here, and that is the high number of 10 character passwords. The password lengths also show the missing password policy, as you can have whatever length you like.
The positive side of the case, is that the high number of 10 character passwords pushed the average password length up to 8,52 characters; higher than usual.
10 Longest PasswordsThe 10 longest passwords give an idea of how low strength long passwords can have. Repetition and common patterns are used to create long passwords; however, they are easily cracked using modern password cracking techniques.
10 Shortest PasswordsThe 10 shortest passwords are hopefully not user passwords. Both a, b and c are among the shortest passwords, which leads me to believe that they are internal testing passwords or passwords created during development.
Password StrengthA strong password has 9 or more characters, 1 digit, 1 lowercase, 1 uppercase and 1 symbol. However, in Gamigo's case, only 1250 passwords are considered strong.
This low number of strong passwords is a combination of the fact that the passwords were cracked, but also because of the missing password policy. A password of 10+ lowercase characters is not considered secure, and a single symbol in a 10+ character password would exponentially increase the security of the password.
Wordlists17% of the passwords were cracked right away using common wordlists. That is pretty normal on sites with limited or no password policy.
The IQ Wordlist (more info here) cracked 20% of the passwords.
10 Most Common PasswordsThe passwords in this list are the most common passwords used by Gamigo users. Most of them are numbers only, but a few stand out. 'azerty' is used a lot by French users since they have AZERTY keyboard layouts (see the email analysis below for more info on French users). I'm unsure why 'perach' is on the list, it might be the German municipality or a password used multiple times by a bot.
Email AnalysisThe leak also contained a large amount of emails. So as an added bonus, I've made an analysis of the emails.
8.261.454 emails were in the leak and 8.244.423 (99,7%) of them are unique. 79065 of the emails were invalid according to RFC 2822, that leaves 8.165.358 (99% of unique) valid emails.
Domain StatisticsIn the domain statistics, we can see that "hotmail.com" and "hotmail.fr" are the two most used email providers. This hint to a large percentage of French users.
Top Level Domain StatisticsIn the TLD statistics, we can see the 30% of the users of Gamigo were using German email providers. Gamigo is a German service, so we would have expected that. However, the second largest country in the statistics is France.
Email Username as PasswordsA total of 1.399.689 hashes (13%) could be cracked using the username part of the email, as the password. To maximize the efficiency, I removed dot, underscore and hyphen characters from the emails. This is a surprisingly large amount hashes cracked using the emails only. Note that I do not have email and hash pairs, but rather a bunch of emails and a bunch of hashes. Each email username was tested against all the hashes, so a user with the email firstname.lastname@example.org would have resulted in "john" being tried against all the hashes, resulting in multiple cracked hashes.
ConclusionIt seems that Gamigo, like so many other large online services, failed to implement a good password policy. Not only were they using raw MD5 as the hashing algorithm, but they also had little to no password strength requirements for their users, which resulted in over 80% of their user hashes cracked in about a week.
The lesson is that you should implement a stronger hashing algorithm and require some sort of minimum password strength of your users. Gamigo did force a password reset on all users, but many users probably just choose the same password or a password that closely resembles the old password. One good thing came of this, and that is Gamigo took responsibility and told their users of the hack, this greatly minimizes the damage that can potentially happen to the users.