Password details for ~ 2.2 million users of currency and gambling sites that are dumped online
Password data and other personal information from no less than 2.2 million users of two websites – one a cryptocurrency wallet service and the other a gaming bot provider – have been posted online, according to Troy Hunt, the security researcher behind the Have I Been Pwned service for breach notification.
One trek contains personal information for no less than 1.4 million accounts of the GateHub cryptocurrency wallet service. The other contains data for around 800,000 accounts on EpicBot from RuneScape. The databases contain registered e-mail addresses and passwords that are cryptographically hashed with bcrypt, a function that is the hardest to crack.
The person who published the 3.72 GB Gatehub database said it also contains two-factor authentication keys, mnemonic sentences, and wallet hashes, although GateHub officials said an investigation suggested that wallet hashes were not accessible. In the meantime, the EpicBot database probably contained usernames and IP addresses. Hunt said he had selected a representative sample of accounts from both databases to verify the authenticity of the data. All e-mail addresses that he checked were registered in accounts of the two sites.
Another indication that the data in the file is from GateHub account holders: this Twitter post. It came from Aashish Koirala, a self-described software developer who said he recently received a report from Experian’s identity protection arm. The advice, Koirala said, told him that “my data for @GateHub were compromised on the Dark Web.”
@troyhunt I just received a message from Experian’s IDNotify that my @GateHub credentials were found compromised on the dark web. For your information in case you would receive news about a GateHub breach or hack.
– Aashish Koirala (@aashishkoirala) November 14, 2019
Although there were two million unique addresses in the two dumps, associated password hashes or other information may not be included with every address.
Unauthorized access
The Gatehub account information, which was posted on a frequently visited hacker site at the end of August, came three months after the cryptocurrency service reported that it had been hacked. The attackers, GateHub said, had stolen – or at least tried to steal – a wealth of sensitive information for more than 18,000 user accounts. The wording of the post left unclear which data were successfully obtained outside the tokens.
GateHub officials wrote:
As stated earlier in our investigation update, we believe that the offender has obtained unauthorized access to a database of valid access tokens from our customers. With the help of these tokens, the perpetrator gained access to 18,473 encrypted customer accounts, a very small part of our total user base. For affected accounts, the following data was targeted: email addresses, hashed passwords, hashed recovery keys, encrypted XRP ledger portfolios, secret keys (non-deleted portfolios only), first names (if any), last names (if any).
GateHub’s disclosure continued by saying that site officials informed users whose accounts were being opened and generated new encryption keys and re-encrypted sensitive information, such as the ledger wallet’s secret keys.
Placing the database means that the breach announced by the portfolio service in July was much greater than previously thought. Instead of only gaining access tokens, the attackers also took 2FA keys, email addresses, password hashes, mnemonic phrases, and possibly wallet hashes. In addition, the infringement affected as many as 1.4 million GateHub users, not just the 18,473 mentioned in the disclosure. In an email, an unnamed member of the GateHub security team wrote:
We are aware of a database on RaidForums that the author claims to belong to GateHub. The supposed GateHub database is thoroughly investigated by our team, therefore we cannot confirm its authenticity at this time. We will keep you informed of updates.
From what we have collected so far, it does not contain wallet hashes. As mentioned earlier, we still check its authenticity.
One of our first reactions to the cyber attack was the recoding of all GateHub accounts. With the new recoding, all GateHub accounts were recoded and all our customers had to change their passwords. This was introduced in July 2019.
The statement did not explain why the investigation was unable to verify the authenticity of the data, 25 days after it was posted and four months after it was first opened. It was also unclear exactly what officials meant by ‘re-encrypted’.
“There are references to PGP (in the database),” Hunt told me. “There are what PGP-encoded strings seem to be. I’m not sure if that’s what they turned. Are they talking about rotary cryptographic hashes, or are they talking about this part of PGP that is related to wallets?”
Change passwords, mnemonic sentences, etc.
The EpicBot leak was posted on the same hacker forum on October 25, the same day as the GateHub dump. Hunt said it contains around 800,000 unique email addresses, along with usernames, IP addresses, and bcrypt hashed passwords. EpicBot officials have not responded to requests to comment on this post. I could not find any mention of an infringement on the EpicBot website.
The use of the bcrypt hash function on both sites, assuming it has been correctly implemented, is encouraging. Bcrypt is so computationally intensive that it would take years for even powerful graphic cards with clusters to crack all passwords. It is of course easy to safely implement bcrypt. Programming errors made by the website of Ashley Madison cheaters, for example, made it trivial to crack more than 11 million of the 36 million bcrypt hashes leaked in the site’s 2015 hack.
The leakage of other types of personal information for as many as 2.2 million accounts is less admirable, especially since there is little evidence that all involved users were informed in a timely manner. EpicBot users must change their passwords as quickly as possible. A password reset is not required for GateHub users due to the mandatory change made in July. But mnemonic sentences must be replaced, assuming they were not yet.
To ward off the growing threat of login credentials, users from both sites must also change passwords for other sites that use the compromised credentials. Users must also be alert to spear phishing and other forms of attacks that use their personal information.