January 23, 2019

Yesterday I checked Czech websites in “Collection #1” and others (like “Collection #2” to “Collection #5”, “BigDB”), today I've checked Slovak sites. We're neighboring countries and historically have a lot in common, many Czech users have accounts on Slovak sites as well, so it seemed like a good idea.

If you want an intro to this “BigDB” leak or a list of Czech sites, go read my previous article, I'll wait.

A gentle reminder: each site below lists a password storage algorithm from the “BigDB” combo, and number of records. I've also added the number of cracked passwords in the combo in case the site used some password “obfuscation”. It's possible to crack more in a few more hours (and for a few dollars) but I didn't do it this time except in some minor cases. Check my write-up about password cracking if you want to know more about techniques used nowadays and how much does it cost.

A lot of these sites still use (or have used at the time of the breach) wrong and insecure passwords storage. If you're like these sites then please stop. Here's how to upgrade password hashing.

Also please keep in mind that the sole presence of the site in the “BigDB” combo database doesn't mean that the data really comes from that particular site. It's mostly unverified leaks, yet.

Slovak sites in password combos

  1. bozpo.sk: 4565 records, plaintext
  2. bridgekosice.sk: 2360 records, bcrypt+MD5(?), 0 passwords (just one account with a bcrypt hash, none of the accounts with MD5 hashes has a .sk email address)
  3. cykloabc.sk: 2111 records, plaintext (1835 passwords seem randomly generated with length 8 characters)
  4. djservice.sk: 2446 records, plaintext (also in the combo as dj-service.sk, djshop.sk, dj-shop.sk with mostly overlapping data)
  5. evillabs.sk: 48816 records, DES crypt(), 0 passwords
  6. gustokids.sk: 1015 records, plaintext
  7. i-shops.sk: 3048 records, plaintext
  8. joico.sk: 793 records, plaintext (167× “9Qfeus8v4U”)
  9. kassotechnik.sk: 861 records, plaintext
  10. kolesa.sk: 2501 records, plaintext
  11. levican.sk: 5651 records, MD5, 0 passwords
  12. lutov.sk: 1118 records, MD5, 796 passwords (103× “x4ivygA51F”)
  13. mata.skiper.sk: 1400 records, plaintext
  14. mojobraz.sk: 3092 records, plaintext
  15. mydream.sk: 5924 records, plaintext
  16. papanica.sk: 5550 records, MD5+SHA-1(?), 1731 passwords (30× “veslo321”)
  17. polymer.sav.sk: 2774 records, Salted MD5, 0 passwords (1877 accounts with random @dendride.ru emails)
  18. predporodnapri­prava.sk: 989 records, MD5, 955 passwords
  19. referaty.hladas­.sk: 1006 records, MD5, 1004 passwords
  20. risopepi.sk: 662 records, MD5(?), 0 passwords
  21. rooftop.sk: 9250 records, MD5, 6935 passwords
  22. rs-tuning.sk: 6143 records, MD5, 3828 passwords
  23. sktorrent.eu: 118588 records, plaintext (this comes from a well-known 2016 leak)
  24. songster.sk: 5218 records, MD5, 0 passwords
  25. superceny4u.sk: 498 records, plaintext (298 accounts with no password)
  26. tombraider.sk: 4683 records, MD5(?), 0 passwords
  27. vupas.sk: 1115 records, plaintext
  28. woodresearch.sk: 2090 records, plaintext (random passwords with length 8 characters, with a few exceptions)

There's 165k cleartext passwords in the “BigDB” combo that come from Slovak sites. In some cases, it seems that the number of leaked data exceeds the amount of what that particular site might be storing. That's probably due to shared database credentials which allowed to dump databases from multiple sites exploiting just one vulnerability.

Analyze all the passwords

Running Pipal the password analyzer on all the passwords gives this result:

  • Total entries: 164,948
  • Total unique entries: 133,122
  • Top passwords:
    1. 123456 = 941 (0.57%)
    2. FuckYou = 865 (0.52%, the Top 1 password from the SkTorrent dump)
    3. 123456789 = 729 (0.44%)
    4. hesloveslo456 = 397 (0.24%)
    5. x4ivygA51F = 348 (0.21%)
  • Top base words:
    1. fuckyou = 876 (0.53%)
    2. heslo = 477 (0.29%)
    3. hesloveslo = 405 (0.25%)
    4. martin = 350 (0.21%)
    5. x4ivyga51f = 348 (0.21%)
  • Password length (count ordered):
    1. 8 = 35,052 (21.25%)
    2. 10 = 30,323 (18.38%)
    3. 6 = 20,773 (12.59%)
    4. 9 = 20,392 (12.36%)
    5. 7 = 17,270 (10.47%)
  • Passwords with only lowercase alpha: 48,583 (29.45%)
  • Only uppercase alpha: 1,061 (0.64%)
  • Only alpha: 49,644 (30,1%)
  • Only numeric: 19,493 (11,82%)

Total number of unique emails

In “BigDB”, there's total of 161,592 unique email addresses and clear, readable passwords, which are sourced from Slovak sites listed above. There's 48,934 u­nique emails with .sk TLD. I hear that Gmail's market share is bigger in Slovakia than in Czechia, and the rather low number of .sk emails would reflect that.

Merge that with the 1.4 billion combo and the result is that the attackers have 1.14 million unique email addresses with .sk TLD including passwords. Not bad, for this country with population of 5.4 million, not bad.

Good luck if you're reusing your passwords.


Recommended reading

Michal Špaček

Michal Špaček

I build web applications and I'm into web application security. I like to speak about secure development. My mission is to teach web developers how to build secure and fast web applications and why.

Public trainings

Come to my public trainings, everybody's welcome:

PHP application security
(June 2019 Praha)

HTTPS for developers and admins
(June 2019 Praha)