Pastebin.com and password lists

In the past few days, pastebin.com has been cited in a wide variety of high-profile news sources regarding a “leak” of email account passwords.

This brought a huge surge in visitors, and ensuring I kept the server functioning took up all my available spare time. I wrote a short blog entry which attracted a lot of comments. Things are a little calmer now, so I’m writing this longer post to explain what happened.

This looks like a long post, just tell me my email account wasn’t compromised…

  • I do not have copy of the list
  • and….I do not have a copy of the list
  • just to be clear….I do not have a copy of the list

Microsoft investigated and have frozen the affected accounts on their systems and if you find yourself locked out of your account, fill out their recovery form to regain control.

Aside from that, if you’ve ever entered your email login details into anything but your providers web page, then I recommend you change your password. It’s likely that the leaked list came from a much larger set – just seeing the published isn’t enough to be sure your details have not been compromised.

So, even if you are just a bit concerned, just change your password. Go on. I’ll wait.

All done? Now read on for the gory details….

Sometime prior to October 3rd 2009…

…some unknown bad guys start collecting email addresses and passwords.

We can be pretty sure that they didn’t “hack into” Microsoft or any other major email provider to obtain the passwords. These companies should not actually store your password, they just store a fingerprint of it (what developers call a cryptographic hash).

To extend this analogy to the real world: if you emailed me your fingerprint, I couldn’t tell what you looked like, i.e. I could not reconstruct you just from that fingerprint. However, I could verify your identity if I met you by taking your fingerprint and comparing to the one I had stored.

So, when you log in and send your password, they take the fingerprint of what you entered, and compare with the fingerprint stored in their database.

So if they didn’t hack into a provider, where did they get them?

The most likely, and perhaps surprising, answer is that they simply asked the users for them. For example, they could create an authentic, safe looking site which promises to tell you who has blocked you on MSN Chat – all you need to do is enter your MSN account details.

Some researchers have also suggested the details were harvested by infecting PCs with keylogging software.

Oct 3rd, 04:00 UTC – Bad guys post 10,000 passwords on Pastebin.com

For reasons unknown, our miscreants post a set of hotmail addresses and passwords on the pastebin.com website.

A sharp eyed user spotted the posting, or found it via a Google search, and it reached the attention of a tech news blog called Neowin.

Oct 3rd, 16:45 UTC – post is flagged as abuse

If users spot a post which appears not to belong on pastebin, they can flag it for attention. I check these flagged posts daily, and it’s a very rapid and streamlined process:

The software presents me the first 10 lines of the post, together with a link I can click if I think the post should be deleted. Generally it’s pretty easy to determine if something doesn’t belong, and a list of email addresses and passwords is obviously not going to make the cut.

So, someone spotted the post and flagged it. The next morning, Oct 4th, at 07:29 I saw the first 10 lines, and deleted the post in a heartbeat before realising the true scale of the list which subsequently caught media attention.

Oct 5th – Blog posts gather momentum

After Neowin posted their article on October 5th, interest in the story steadily grew.

Oct 6th – Mainstream media catches the story

I was up early on that day to check on the traffic and see if any special action would be needed. Having read the growing number of news articles I took the following action

  • Added additional rules to the content filters on pastebin.com to ensure hotmail addresses could not be posted
  • Began searching all existing posts to ensure no further copies remained

Traffic levels were so high that the search was running at a crawl, so I closed the site so the cleanup would complete, and left for my office.

I reopened the site late afternoon UK time, and continue to monitor the traffic to ensure it remained as usable as possible.

OK, so why didn’t you keep a copy?

Let me abuse Pulp Fiction for a moment:

  • Jimmie: “Now let me ask you a question, Jules. When you drove in here, did you notice a sign out in front that said, “Email password storage”?”
  • Jules: “Jimmie…”
  • Jimmie: “Answer the question! Did you see a sign out in front of my house that said “Email password storage”?”
  • Jules: “Naw man, I didn’t.”
  • Jimmie: “You know why you didn’t see that sign?”
  • Jules: “Why?”
  • Jimmie: “‘Cause storin’ email passwords ain’t my fuckin’ business!”

Now, if it happens again, I may act differently. Security professionals at some large companies have expressed interest in helping their users if such a list could be made available to them. I’m more interested in enhancing the content filters on pastebin to ensure that text that looks like a list of email addresses is simply rejected.

Even if your email address wasn’t on the list, if you think you’re the kind of person who is prone to phishing scams, just change your password. If you didn’t understand that last sentence, just change your password.

The published list was likely much larger, since it seems it was alphabetically ordered and only got as far as ‘b’. Having possession of that list will not help you determine if your address has been not been compromised.

More links

Can I ask a question?

Sure! As long as it’s not “is my address on the list?”

77 thoughts on “Pastebin.com and password lists

  1. federico

    the news has been more succesfull than you think, im from argentina and today the rumor got even worst when the most visited computing site in my country said that there were not only 10000 hotmail accounts, but 30000 that may also include gmail and yahoo accounts, can that be true?

  2. Adrienne

    Very witty & well-stated Lordelph; I enjoyed the read. I’m off to change my password. Remain vigilant and be well!

  3. tim smith

    who posted the list? why? if someone wanted to use the list for nefarious reasons, why post the list and let everyone know they had been compromised?

  4. Obvious

    It’s obvious. Why did the confickr people do what they did. Panic. These people wanted to make the news and wanted to see people go chaos. They are some fat loser retards that can’t get dates because of their idiotic appearance and behavioral manner. All they wanted was some place that gets views, to view it. And seeing all of the media attention, I’d say mission accomplished.

  5. Casey

    Hello 🙂
    Just a comment to say I enjoyed the read and that I’m off to change my password; (Which I’ve had for about 5 years now) haha!

    Casey.

  6. Mercenary

    Nice Post Lordelph..Quote

    ” When you drove in here, did you notice a sign out in front that said, “Email password storage”?”

    “Naw man, I didn’t.”

    “‘Cause storin’ email passwords ain’t my fuckin’ business!”

    Refreshing to see that someone has some morals these days. 😉

    Regards Mercenary

  7. carlos favas

    i´m sorry but some of that acounts are already dead the rest is a revenge paymant and don,t ends now next gmail and soon all accouints will be free of pass they keep our registe from internet telefone and everithing now they pay for everithing …

  8. Peter

    Out of curiosity did you or your hosting company delete your database backups for the period when the emails & passwords where on your site? E.g. the information may well still be on your server and it would be wise to get rid of it all.
    Recommendation to Hotmail: If you make your login sequence more distinctive people wont be able to copy it, Its too easy to copy the hotmail, gmail, yahoo login pages. These companies should put more thought into stopping these attacks from happening.
    Note to users: LOOK AT THE URL before you do anything, if the URL doesn’t look TRUSTED don’t stick around.
    Note to Media Websites: If you see information online which shouldn’t be online like a list of login details, don’t write up a nice blog entry on your websites and leave it there, inform the site owner, inform Microsoft and then do up your report after the content has been removed. These Media sites have a responsibility to users also and passing on links to content like this is just spreading the fire not putting it out.

    Also nice blog entry, very well written.

  9. Ken

    SHIRAZ SACRANIE

    Abandon the email address and set up a new one. The likelihood is that you gave someone else your password. Trat passwords like credit/debit card numbers and keep them secret.

  10. Haggis

    Everyone keeps speculating how the passwords were grabbed, have none of you received emails in the last few weeks from some of your contacts saying try this new service SEE WHOS BLOCKED YOU…i have had loads of these in the last few weeks

  11. karen

    Nice entry, I enjoyed the reading !
    I fear those people are very easy target for paypal fakers or such…

  12. David Castillo

    Everybody is thinking about malware and phishing, but what about services external to microsoft where we give our login data without take care, sites like:
    checkmessenger2.net
    blockstatus.com/msn/stchecker
    whoblocked.me

    In short, we have to take care where use our data.
    Thanks

    Edit by Lordelph / Paul Dixon: Do NOT use the above services, they are provided as examples! I modified this comment to ensure they were not formatted as hyperlinks.

  13. tim smith

    it’s just a lesson to not put anything on the web you don’t want to let someone else have.(keep a separate bank account with only enough for immediate purchases on the web,not using clouds for backup, etc.) if its on the internet it WILL be taken.

  14. Dawn

    Hello Lordelph,

    I’m writing an article about internet security. I was wondering if I could possibly ask you a few questions, via phone or email is possible?

    I’m not going to go on at you about the list, I’m sure it’s getting a bit old now.

    I’m looking at the internet in a negative way. My question is, is it more bad than good? I’d be interested to know what you think of this. Obviously a lot of people are going to shout at me, and I’m one of them, as I use the internet every single day for just about everything, But I want to write an investigative piece about all the bad things it’s facilitated, e.g. fraud, identity theft, pedophile issues etc

    Look forward to your reply…

    Dawn

    Edit by Lordelph / Paul Dixon: I replied directly, but if anyone is curious, my rather obvious opinion is that the good far outweighs the bad, and by an enormous margin. There’s a very readable book, The Victorian Internet, which makes the case that the advent of the telegraph brought similar changes to that of the Internet. It also shows how bad people will always find ways to exploit such changes. Highly recommended!

  15. uconndave

    GEE WHIZ…Did I just put my email address in for this post?
    Anyway, remember that nobody should be ASKING that you send them your password. Would you send them your savings account number?

  16. Pingback: Chilanga Banda » Blog Archive » Hackean Hotmail

  17. DieLikeMovieStars

    Good post man,
    One thing i was thinking tho, that i havn’t heard anyone mention yet…
    I have a feeling that this is the main hack, happening right now – think about it.. 1st, a massive media hype about collected details (the plant), which creates a widespred panic to change passwords (the con)- soo, then all the hackers, and anyone else, know that everyone’s going to be changing their details asap.. hence, now is the perfect time for p/w stealing. i’d keep an eye on the situation for a lil while yet ;p

  18. DieLikeMovieStars

    Yo, i dont know if anyone spotted a post from Carlos Favas on October 8th.. but it read –

    ” i´m sorry but some of that acounts are already dead the rest is a revenge paymant and don,t ends now next gmail and soon all accouints will be free of pass they keep our registe from internet telefone and everithing now they pay for everithing … ”

    – Now, personaly, i think that’s a bit of a suspect post tbh.. it sounds like some kind of threat/ransom letter sort of thing – suggesting that this is the twat that did it.. dodgy i rekons –

  19. WaitWhat

    I found this post after my hotmail/msn spammed my contacts with ‘Coupons for Goods!’.

    I absolutely never enter my hotmail or msn password in anything other than hotmail, msn or xbox.com, so I can only assume the security breach (keylogger maybe?) was due to my PC being in the DMZ so that I can actually get Battlefield Heroes to run correctly!

    Don’t assume that everyone who has their password stolen is an idiot who enters their password in anything that looks like a login page.

  20. Luchy

    I think Microsoft may lie – Microsoft told media that its server/ inter-system had not been entered by the thief. That means Microsoft keep its system safe. In addition, news report that the thief used “phishing” to steal the info. It made people feel that the thief did not enter Microsoft system. However, I don’t believe it. Because, as you know, all the accounts being stolen start with “A” and “B”, that means the thief probably had got into a server which stored all email accounts categorized by the alphabetic order A, B, C, D…. And, by what means did Microsoft found the stolen list, if it was not from pastebin?

  21. lordelph Post author

    @Luchy: Microsoft may have obtained the list before it was deleted – you would have to ask the folks at Neowin. The list is out there if you know what to look for anyway.

    And there’s really no basis for any kind of conspiracy theory about Microsoft being hacked. If you’re suggesting that having an alphabetized list is proof, then consider this: Hotmail has over 270 million users. Assuming an even distribution of first letters, you can imagine that over 10 million accounts start with the letter ‘a’. The first 10000 rows of an alphabetic dump wouldn’t even get past accounts starting ‘aa..’!

  22. Disturbed

    Just yesterday I didn’t knew about that freaking damned list and now I feel like somebody stepped on my head. You see, I have a hotmail account starting with E and… since today I can’t get into my account… There was something, that really made my heart skip a beat. When I couldn’t login and tried to recover my pw… it happened that I googled my hotmail account’s name and it came out with a result of my very own account’s name and… the new password I typed 15 minutes ago!! Is this, like normal? or is google nuts… or am I?
    Anyways, I already send that hotmail account’s recovery thing and I hope that those nasty ass….* hackers get the water spilled on their keyboards! >O

    P.s. carlos favas don’t tell me my acc is dead, OK!? D<

  23. Nekoi

    Very nice, but if they hacked my email, they would get nothing! I use false info on my emails just cause I have been hacked on multiple online games. So hackers could hack at me all they want, they won’t get anything.

    And I love the pulp fiction reference. Just bloody brilliant. Also, just wondering if this has anything to do with why the gmail security question is written in hungarian?

  24. SillyWilly

    Thank you Lordelph for the educated and informative post. Much better than the pile on of idiots that were posting on your original blog post. That was hilarious and fun for me too.

  25. Auctioneer

    let’s face it, there is no security as long as a Computer is connected to the “Outer Word”. At least not, if someone likes to see the Content of Webpages as they are made to appear on the Screen.

    To have this ability, today, one has to allow all kinds of stuff, originally not beeing part of HTML Pages, to make the Computer display, whatever the Publicher built in, like JS, Shockwave, e.t.c., in order to see all that Glance & Glitter, despite of the Fact that most Visitors actually only came to the Site find Information.

    Why use “NoScript” or other (usefull) Add-on’s, Why see Firewall-Warnings, it’s of no Use, one has to “allow” anything anyhow in order to finally see the Pages and their Content.

    Most Users of the Web do either not know or then not care, so, there is no technical way to help them to “get” secure. At least not as long as Web Publishers use Techniques, “assisting” Hackers and/or Criminals to misuse such Techniques to get illegal or personal Information.

    On the other hand, who really cares? If one uses the Web to gain Access to Bank Accounts or similar Things, it’s one’s own fault.

    If People need FreeMail-Accounts in order to keep their “hidden Life” apart from their real one, it’s their Problem.

    The Web is an almost “free” Place and not even regulated. So, what do you expect? Anyone placing valuable Content on such a Place takes the risk that it will be stolen.

    As long as one cannot educate Users or strengten the System, the best thing is to use and enjoy the Web as it comes. At least as long as it still exists in that way…

    Ernie

  26. sowmya raghavan

    Well, I think I know where they got them passwords and emails. I’ve gone to their site. And (retardedly) typed in my email and password. After that they just send spam to your contacts, regardless wether you change your password, close down your email ect. Due to a tracking cookie, of course.

  27. don

    Thanks man your blog has helped me alot to contact MS admin. Lets see if I get my id back or not.

    Peace from Pakistan.

  28. DAN

    nice post i liked the pulp fiction scene.
    i got into this post thinking why you didnt backuped that post, but i changed my mind before reading your post.
    you’re nice person!

    greetings from Uruguay

  29. Pingback: La seguretat de les contrasenyes, tema pendent « Bloc de la Biblioteca de Matemàtiques

  30. whatever

    You said “This brought a huge surge in visitors…” Now why would you try to “reject” this from happening again.

Comments are closed.