Slovak websites in the “Collection #1” password database and friends

Yesterday I checked Czech websites in “Collection #1” and others (like “Collection #2” to “Collection #5”, “BigDB”), today I've checked Slovak sites. We're neighboring countries and historically have a lot in common, many Czech users have accounts on Slovak sites as well, so it seemed like a good idea.

If you want an intro to this “BigDB” leak or a list of Czech sites, go read my previous article, I'll wait.

A gentle reminder: each site below lists a password storage algorithm from the “BigDB” combo, and number of records. I've also added the number of cracked passwords in the combo in case the site used some password “obfuscation”. It's possible to crack more in a few more hours (and for a few dollars) but I didn't do it this time except in some minor cases. Check my write-up about password cracking if you want to know more about techniques used nowadays and how much does it cost.

A lot of these sites still use (or have used at the time of the breach) wrong and insecure passwords storage. If you're like these sites then please stop. Here's how to upgrade password hashing.

Also please keep in mind that the sole presence of the site in the “BigDB” combo database doesn't mean that the data really comes from that particular site. It's mostly unverified leaks, yet.

Slovak sites in password combos

1. bozpo.sk: 4565 records, plaintext
2. bridgekosice.sk: 2360 records, bcrypt+MD5(?), 0 passwords (just one account with a bcrypt hash, none of the accounts with MD5 hashes has a .sk email address)
3. cykloabc.sk: 2111 records, plaintext (1835 passwords seem randomly generated with length 8 characters)
4. djservice.sk: 2446 records, plaintext (also in the combo as dj-service.sk, djshop.sk, dj-shop.sk with mostly overlapping data)
5. evillabs.sk: 48816 records, DES crypt(), 0 passwords
6. gustokids.sk: 1015 records, plaintext
7. i-shops.sk: 3048 records, plaintext
8. joico.sk: 793 records, plaintext (167× “9Qfeus8v4U”)
9. kassotechnik.sk: 861 records, plaintext
10. kolesa.sk: 2501 records, plaintext
11. levican.sk: 5651 records, MD5, 0 passwords
12. lutov.sk: 1118 records, MD5, 796 passwords (103× “x4ivygA51F”)
13. mata.skiper.sk: 1400 records, plaintext
14. mojobraz.sk: 3092 records, plaintext
15. mydream.sk: 5924 records, plaintext
16. papanica.sk: 5550 records, MD5+SHA-1(?), 1731 passwords (30× “veslo321”)
17. polymer.sav.sk: 2774 records, Salted MD5, 0 passwords (1877 accounts with random @dendride.ru emails)
18. predporodnapri­prava.sk: 989 records, MD5, 955 passwords
19. referaty.hladas­.sk: 1006 records, MD5, 1004 passwords
20. risopepi.sk: 662 records, MD5(?), 0 passwords
21. rooftop.sk: 9250 records, MD5, 6935 passwords
22. rs-tuning.sk: 6143 records, MD5, 3828 passwords
23. sktorrent.eu: 118588 records, plaintext (this comes from a well-known 2016 leak)
24. songster.sk: 5218 records, MD5, 0 passwords
25. superceny4u.sk: 498 records, plaintext (298 accounts with no password)
26. tombraider.sk: 4683 records, MD5(?), 0 passwords
27. vupas.sk: 1115 records, plaintext
28. woodresearch.sk: 2090 records, plaintext (random passwords with length 8 characters, with a few exceptions)

There's 165k cleartext passwords in the “BigDB” combo that come from Slovak sites. In some cases, it seems that the number of leaked data exceeds the amount of what that particular site might be storing. That's probably due to shared database credentials which allowed to dump databases from multiple sites exploiting just one vulnerability.

Analyze all the passwords

Running Pipal the password analyzer on all the passwords gives this result:

• Total entries: 164,948
• Total unique entries: 133,122
• Top passwords:
  1. 123456 = 941 (0.57%)
  2. FuckYou = 865 (0.52%, the Top 1 password from the SkTorrent dump)
  3. 123456789 = 729 (0.44%)
  4. hesloveslo456 = 397 (0.24%)
  5. x4ivygA51F = 348 (0.21%)
• Top base words:
  1. fuckyou = 876 (0.53%)
  2. heslo = 477 (0.29%)
  3. hesloveslo = 405 (0.25%)
  4. martin = 350 (0.21%)
  5. x4ivyga51f = 348 (0.21%)
• Password length (count ordered):
  1. 8 = 35,052 (21.25%)
  2. 10 = 30,323 (18.38%)
  3. 6 = 20,773 (12.59%)
  4. 9 = 20,392 (12.36%)
  5. 7 = 17,270 (10.47%)
• Passwords with only lowercase alpha: 48,583 (29.45%)
• Only uppercase alpha: 1,061 (0.64%)
• Only alpha: 49,644 (30,1%)
• Only numeric: 19,493 (11,82%)

Total number of unique emails

In “BigDB”, there's total of 161,592 unique email addresses and clear, readable passwords, which are sourced from Slovak sites listed above. There's 48,934 u­nique emails with .sk TLD. I hear that Gmail's market share is bigger in Slovakia than in Czechia, and the rather low number of .sk emails would reflect that.

Merge that with the 1.4 billion combo and the result is that the attackers have 1.14 million unique email addresses with .sk TLD including passwords. Not bad, for this country with population of 5.4 million, not bad.

Good luck if you're reusing your passwords.

---

Recommended reading

• Czech websites in the “Collection #1” password database and friends
• My talk about cracking passwords, or why use password_hash()
• Cracking passwords from the Mall.cz dump write-up