January 22, 2019

Last week was all about the 773 million records data breach, nicknamed “Collection #1”. It's a few years old compilation of previous data leaks but it's still interesting to check which Czech websites (and Slovak, too) are present in this and other databases (like “Collection #2” to “Collection #5”, “BigDB”).

The news about “Collection #1” was broken by Troy Hunt, when he's uploaded the data to Have I Been Pwned?, a breach notification service he runs. Almost 90 GB of data, 773 million unique emails and 2.7 billion records total. Quite massive. Seems the data in this collection is a few years old and many some leaks are already known and somehow plugged. Hopefully.

Collection #1-#5 and more

There are other combos, too: “Collection #2” to “Collection #5” – those have almost 850 GB of data total. Seems all of these collections, at least when it comes to Czech and Slovak sites, come from one massive database called “BigDB”, which totals at 595 GB and contains quite a few packed archives so the eventual size is a lot bigger.

These combos are often sorted into categories like “games”, “cryptocurrencies”, by countries etc. and attackers use them for credential stuffing. They try known combinations of usernames and passwords and stuff them into other services. And because users reuse their passwords, bad guys log in successfully in many cases.

Which Czech websites are listed in those databases? All of them are already present in the “BigDB” combo, some sites even multiple times with different number of records. But that doesn't mean the data really comes from those sites. Keep that on your mind until the leak is confirmed. If you manage some of the sites you should investigate, inform your users, and also the local Office for Personal Data Protection. It should be also noted that half of these sites were already added to Have I Been Pwned? a year ago but we didn't know ho much data was in there.

Interested in a list of Slovak sites? It's in the Part 2.

Each site below lists a password storage algorithm from the “BigDB” combo, and number of records. I've also added the number of cracked passwords in the combo in case the site used some password “obfuscation”. It's possible to crack more in a few more hours (and for a few dollars) but I didn't do it this time except in some minor cases. Check my write-up about password cracking if you want to know more about techniques used nowadays and how much does it cost.

A lot of these sites still use (or have used at the time of the breach) wrong and insecure passwords storage. If you're like these sites then please stop. Here's how to upgrade password hashing.

Czech sites in password combos

  1. abkontakt.cz: 191199 records, MD5, 0 passwords (11564× “katerina”, 1500× “dana”, 171013× “robot”)
  2. achpak.cz: 690 records, plaintext
  3. poradna.adikto­logie.cz: 14540 records, first 11 characters of MD5, 0 passwords
  4. almipraha.cz: 2829 records, plaintext
  5. aloki.cz: 14613 records, MD5, 13634 passwords
  6. alveus-drezy.cz: 1184 records, MD5, 0 passwords
  7. asiantitulky.cz: 4063 records, MD5(?), 3038 passwords
  8. var2.astro.cz: 584 records, plaintext
  9. eshop.atos.cz: 1501 records, MD5, 474 passwords
  10. auctions-art.cz: 5091 records, SHA-1, 5444 passwords
  11. banner-lov.cz: 10751 records, MD5, 6520 passwords
  12. banner-security.cz: 10746 records, MD5, 6511 passwords
  13. beers.cz: 1284 records, plaintext
  14. big-wall.cz: 3401 records, MD5, 0 passwords
  15. biomonitoring.cz: 5486 records, MD5, 0 passwords
  16. bonekan.cz: 1372 records, MD5, 363 passwords
  17. canicross.cz: 887 records, plaintext
  18. casino-technology.cz: 6758 records, plaintext+bcrypt, 1603 passwords
  19. chotec.cz: 620 records, MD5, 0 passwords
  20. comx.cz: 885 records, MD5, 0 passwords (but all accounts have the same password “1X1A”)
  21. coollight.cz: 2127 records, plaintext
  22. crew.cz: 3037 records, MD5, 2782 passwords
  23. projekty.czechna­tionalteam.cz: 4729 records, MD5+phpBB3($H$)+Drupal7($S$), 1924 passwords
  24. czshopy.com: 2403 records, MD5, 2225 passwords
  25. danutiming.cz: 3767 records, MD5, 3270 passwords
  26. dbsvet.cz: 17565 records, MD5, 3140 passwords
  27. desky.cz: 5236 records, MD5, 5107 passwords
  28. 2010.divadelnis­vet.cz: 9100 records, MD5, 0 passwords
  29. pocasi.divoch.cz: 3094 records, MD5, 3018 passwords
  30. dj-shop.cz: 2040 records, plaintext
  31. dracidoupe.cz: 12982 records, MD5, 5514 passwords (a different file for the same site has just 5584 accounts)
  32. forum.drbal.cz: 2017 records, MD5, 0 passwords
  33. drp.cz: 1112 records, MD5, 0 passwords
  34. ekopress.cz: 3693 records, plaintext (passwords look randomly generated, their length is 12 characters)
  35. elektroprinc.cz: 2704 records, MD5, 2587 passwords
  36. idnes.www.elweb­.cz: 585 records, plaintext, 308 passwords (some accounts have no password, and there are other passwords for the same site in a leak called tatoomira.elweb­.cz)
  37. eone.cz: 1650 records, plaintext, 1060 passwords (some accounts have no password)
  38. eski.cz: 3448 records, MD5, 0 passwords
  39. urel.feec.vut­br.cz: 999 records, MD5, 363 passwords (20× “h54rsjrF5J46­788998”, 13× “I9k7hnv5sR”, 9× “1721k1721”)
  40. www2.fm.vse.cz: 1745 records, plaintext
  41. foosball.cz: 1108 records, plaintext
  42. kss.fp.tul.cz: 941 records, plaintext
  43. funexplosive.cz: 2646 records, Salted MD5, 0 passwords (many email addresses look generated, e.g. somadrughblhguliwadmin@dendride.ru)
  44. gastrotrend.cz: 938 records, MD5, 925 passwords
  45. genomac.cz: 4401 records, MD5, 1648 passwords (partly in genomacinst.cz le­ak)
  46. hazena.pb.cz: 5263 records, plaintext (3292 accounts use generated emails, e.g. awuodefs@nmjanodd.com)
  47. helmetshop.cz: 1190 records, plaintext
  48. helmy.cz: 1758 records, plaintext
  49. hvezdarna.cz: 6063 records, MD5, 5431 passwords
  50. ian.cz: 10073 records, plaintext
  51. instrumento.cz: 3448 records, plaintext
  52. isumava.cz: 1559 records, MD5, 1490 passwords
  53. hry.izde.cz: 583 records, plaintext
  54. jaj.cz: 1117 records, MD5, 880 passwords
  55. jince.cz: 1635 records, MD5, 0 passwords
  56. jseddica.cz: 2995 records, MD5, 2947 passwords
  57. kaktusy-rysavy.cz: 1602 records, MD5, 0 passwords
  58. kkkonstruktiva­.cz: 1782 records, MD5, 777 passwords
  59. kuma.cz: 81663 records, plaintext (I tried to report the breach last year to them, but this is a really sad story, I'll blog about it one day)
  60. legendapraha.cz: 502 records, MD5, 0 passwords
  61. lezec.cz: 9678 records, plaintext
  62. libchavy.cz: 6560 records, plaintext (passwords look generated, length 7 characters, some look like a “keyboard walk”, e.g. “fssjsjsf”)
  63. eshop.ltec.cz: 3592 records, MD5, 0 passwords
  64. majkluvsvet.cz: 4877 records, MD5, 0 passwords
  65. mesto-klimkovice.cz: 1920 records, SHA-1, 1712 passwords (just 21 accounts with .cz TLD, others look weird, some password hashes include SQL snippets like UNION SELECT)
  66. nesedtedoma.cz: 585 records, plaintext
  67. nockostelu.cz: 2668 records, bcrypt, 0 passwords
  68. online-hry.cz: 1907 records, plaintext+MD5, 1390 passwords
  69. ostyle.cz: 4157 records, Salted MD5, 3845 passwords
  70. ovocenaraut.cz: 1451 records, MD5, 1125 passwords
  71. papcel.cz: 11583 records, MD5, 11208 passwords
  72. pressonline.cz: 5100 records, plaintext+MD5, 5071 passwords
  73. rallyfan.cz: 75317 records, SHA-1, 0 passwords (74960 users have SHA-1 hash of an empty string)
  74. regionvalassko­.cz: 496 records, plaintext
  75. roxette.cz: 4215 records, SHA-256, 0 passwords
  76. expedice.rps.cz: 21655 records, plaintext+MD5, 20596 passwords (plaintext passwords look randomly generated with length 5–6 characters, unlike MD5-hashed passwords)
  77. saspi.cz: 5579 records, MD5, 4828 passwords
  78. satelit.cz: 2380 records, DES crypt()+md5crypt, 0 passwords (161 records use md5crypt $1$)
  79. sawan.cz: 7537 records, plaintext
  80. scandinaviashop­.cz: 2249 records, MD5, 1327 passwords
  81. scena.cz: 2142 records, plaintext
  82. sexonline.cz: 2832 records, plaintext
  83. sexyweb.cz: 8871 records, plaintext
  84. signaturymali­ru.cz: 53377 records, MD5, 50852 passwords
  85. skmseno.cz: 5117 records, plaintext+MD5, 4793 passwords
  86. softball.cz: 640 records, plaintext
  87. soural.cz: 93499 records, MD5, 69840 passwords
  88. spoltex-kravare.cz: 2036 records, MD5+SHA-1, 447 passwords
  89. stoebich.cz: 1702 records, MD5, 0 passwords
  90. www1.streetpun­k.cz: 1370 records, SHA-1, 1351 passwords
  91. mks.stribro.cz: 3422 records, MD5, 3379 passwords (also present in infocentrum.stri­bro.cz and stribro.cz but those have less accounts)
  92. studiumchemie.cz: 1495 records, MD5, 0 passwords
  93. foto.sviga.cz: 4236 records, plaintext+MD5, 4190 passwords
  94. thalie.pilsfre­e.cz: 3796 records, MySQL5 hash, 2794 passwords
  95. valtickepodze­mi.cz: 1748 records, MD5, 1618 passwords
  96. w.veteranforum­.cz: 9520 records, plaintext
  97. vysivaniberus­ka.cz: 537 records, plaintext
  98. wifi.vscom.cz: 1085 records, plaintext
  99. windseznam.pb.cz: 2244 records, MD5, 2214 passwords
  100. wohnout.nen.cz: 4429 records, MD5, 0 passwords

In total, there's almost 450k password in clear. In some cases, it seems that the number of leaked data exceeds the amount of what that particular site might be storing. That's probably due to shared database credentials which allowed to dump databases from multiple sites exploiting just one vulnerability.

The “BigDB” combo also contains a few files named cz.txt etc. which look like a compilation of even older breaches and they match, at least partly, with a database first spotted in 2017. These files contain 3,295,430 clear passwords.

Analyze all the passwords

Take all those passwords, run Pipal the password analyzer on them, and this is what you'll get:

  • Total entries: 3,740,880
  • Total unique entries: 2,281,413
  • Top passwords:
    1. 123456 = 19,323 (0.52%)
    2. password = 13,155 (0.35%)
    3. 123456789 = 6,436 (0.17%)
    4. qwerty = 5,521 (0.15%)
    5. 12345 = 5,197 (0.14%)
  • Top base words:
    1. password = 15,619 (0.42%)
    2. qwerty = 9,953 (0.27%)
    3. martin = 4,747 (0.13%)
    4. heslo = 4,422 (0.12%)
    5. a838hfid = 4,124 (0.11%)
  • Password length (count ordered):
    1. 8 = 984,760 (26.32%)
    2. 6 = 734,481 (19.63%)
    3. 7 = 556,580 (14.88%)
    4. 9 = 410,853 (10.98%)
    5. 10 = 324,030 (8.66%)
  • Passwords with only lowercase alpha: 1,355,091 (36.22%)
  • Only uppercase alpha: 40,970 (1.1%)
  • Only alpha: 1,396,061 (37.32%)
  • Only numeric: 447,514 (11.96%)

Total number of unique emails

In “BigDB”, there's total of 3,023,494 unique email addresses and clear passwords, which are sourced from Czech sites listed above. There's 2,923,5­12 unique emails with .cz TLD.

Merge that with the 1.4 billion combo and the result is that the attackers have 6.2 million unique email addresses with .cz TLD including passwords. And that's without breaches like the Mall.cz one and some more which, for some reason, are not present in these massive combos. Not bad for this rather small country with population of 10.5 million.

Good luck if you're reusing your passwords.


Recommended reading

Michal Špaček

Michal Špaček

I build web applications and I'm into web application security. I like to speak about secure development. My mission is to teach web developers how to build secure and fast web applications and why.

Public trainings

Come to my public trainings, everybody's welcome:

PHP application security
(December 2019 Praha)

HTTPS for developers and admins
(December 2019 Praha)