January 23, 2019
Yesterday I checked Czech websites in “Collection #1” and others (like “Collection #2” to “Collection #5”, “BigDB”), today I've checked Slovak sites. We're neighboring countries and historically have a lot in common, many Czech users have accounts on Slovak sites as well, so it seemed like a good idea.
If you want an intro to this “BigDB” leak or a list of Czech sites, go read my previous article, I'll wait.
A gentle reminder: each site below lists a password storage algorithm from the “BigDB” combo, and number of records. I've also added the number of cracked passwords in the combo in case the site used some password “obfuscation”. It's possible to crack more in a few more hours (and for a few dollars) but I didn't do it this time except in some minor cases. Check my write-up about password cracking if you want to know more about techniques used nowadays and how much does it cost.
A lot of these sites still use (or have used at the time of the breach) wrong and insecure passwords storage. If you're like these sites then please stop. Here's how to upgrade password hashing.
Also please keep in mind that the sole presence of the site in the “BigDB” combo database doesn't mean that the data really comes from that particular site. It's mostly unverified leaks, yet.
Slovak sites in password combos
- bozpo.sk: 4565 records, plaintext
- bridgekosice.sk: 2360 records, bcrypt+MD5(?), 0 passwords (just one account with a bcrypt hash, none of the accounts with MD5 hashes has a .sk email address)
- cykloabc.sk: 2111 records, plaintext (1835 passwords seem randomly generated with length 8 characters)
- djservice.sk: 2446 records, plaintext (also in the combo as dj-service.sk, djshop.sk, dj-shop.sk with mostly overlapping data)
- evillabs.sk: 48816 records, DES
crypt(), 0 passwords
- gustokids.sk: 1015 records, plaintext
- i-shops.sk: 3048 records, plaintext
- joico.sk: 793 records, plaintext (167× “9Qfeus8v4U”)
- kassotechnik.sk: 861 records, plaintext
- kolesa.sk: 2501 records, plaintext
- levican.sk: 5651 records, MD5, 0 passwords
- lutov.sk: 1118 records, MD5, 796 passwords (103× “x4ivygA51F”)
- mata.skiper.sk: 1400 records, plaintext
- mojobraz.sk: 3092 records, plaintext
- mydream.sk: 5924 records, plaintext
- papanica.sk: 5550 records, MD5+SHA-1(?), 1731 passwords (30× “veslo321”)
- polymer.sav.sk: 2774 records, Salted MD5, 0 passwords (1877 accounts with random @dendride.ru emails)
- predporodnapriprava.sk: 989 records, MD5, 955 passwords
- referaty.hladas.sk: 1006 records, MD5, 1004 passwords
- risopepi.sk: 662 records, MD5(?), 0 passwords
- rooftop.sk: 9250 records, MD5, 6935 passwords
- rs-tuning.sk: 6143 records, MD5, 3828 passwords
- sktorrent.eu: 118588 records, plaintext (this comes from a well-known 2016 leak)
- songster.sk: 5218 records, MD5, 0 passwords
- superceny4u.sk: 498 records, plaintext (298 accounts with no password)
- tombraider.sk: 4683 records, MD5(?), 0 passwords
- vupas.sk: 1115 records, plaintext
- woodresearch.sk: 2090 records, plaintext (random passwords with length 8 characters, with a few exceptions)
There's 165k cleartext passwords in the “BigDB” combo that come from Slovak sites. In some cases, it seems that the number of leaked data exceeds the amount of what that particular site might be storing. That's probably due to shared database credentials which allowed to dump databases from multiple sites exploiting just one vulnerability.
Analyze all the passwords
Running Pipal the password analyzer on all the passwords gives this result:
- Total entries: 164,948
- Total unique entries: 133,122
- Top passwords:
- 123456 = 941 (0.57%)
- FuckYou = 865 (0.52%, the Top 1 password from the SkTorrent dump)
- 123456789 = 729 (0.44%)
- hesloveslo456 = 397 (0.24%)
- x4ivygA51F = 348 (0.21%)
- Top base words:
- fuckyou = 876 (0.53%)
- heslo = 477 (0.29%)
- hesloveslo = 405 (0.25%)
- martin = 350 (0.21%)
- x4ivyga51f = 348 (0.21%)
- Password length (count ordered):
- 8 = 35,052 (21.25%)
- 10 = 30,323 (18.38%)
- 6 = 20,773 (12.59%)
- 9 = 20,392 (12.36%)
- 7 = 17,270 (10.47%)
- Passwords with only lowercase alpha: 48,583 (29.45%)
- Only uppercase alpha: 1,061 (0.64%)
- Only alpha: 49,644 (30,1%)
- Only numeric: 19,493 (11,82%)
Total number of unique emails
In “BigDB”, there's total of 161,592 unique email addresses and clear, readable passwords, which are sourced from Slovak sites listed above. There's 48,934 unique emails with .sk TLD. I hear that Gmail's market share is bigger in Slovakia than in Czechia, and the rather low number of .sk emails would reflect that.
Merge that with the 1.4 billion combo and the result is that the attackers have 1.14 million unique email addresses with .sk TLD including passwords. Not bad, for this country with population of 5.4 million, not bad.
Good luck if you're reusing your passwords.