Info about breach goes public
Following what Dziennik Internautow wrote in their post, on 5 Sep 2009 a person using nickname Gimbus1xD has informed administrators of wykop.pl about the breach (no link - original post taken down) and about the fact, that some of the information stolen was already used to compromise account held with other websites, including allegro.pl (auction system like eBay). To prove his revelations, Gimbus1xD posted also screen shots of compromised Allegro account with transactions that happened two days earlier and another one with PHPMyAdmin browsing 'users' table.
The scary part here is that as Gimbus1xD wrote, about 40% of those passwords have been broken (despite being hashed) with simple dictionary and brute-force attacks because passwords were up to 7 characters long.
Allegedly the database is in the hands of vichan.net admins, which again allegedly shared 'unhashed' database with their moderators - including Gimbus1xD, who broke the news. So far it's not clear what made Gimbus1xD change his mind and make this information public.
That's not yet the end...
Official version by wykop.pl
hours after the first post by Gimbus1xD and hundreds of comments from
users, wykop.pl published 'press release' on their blog that a couple of weeks ago one of their test servers got broken into and that user's login credentials and e-mail addresses were stolen - that's for users that have registered before 31 March 2009.
of the site have also been blackmailed, so they have informed the Police about
the whole incident. One of the messages from wykop.pl admins suggests
that users were not informed about the breach because:
- as long as the
blackmail negotiations are going on, there is a small chance that the
information would be used for malicious purposes and
- because the
Police asked not to publish any information, because other websites are
involved also as victims - where wykop's users had accounts and shared
the same passwords. In this case, that would be intentional, not to
damage the investigation.
depending on the note the time since when the company knew of the
breach is different, ranging from weeks to mere hours (that would only
suggest to me that they need dedicated spokesman).
... in business terms
I feel really sorry for those guys at wykop.pl. They have their hands tied behind their backs. On one hand they work with the law enforcement (good) but they have been forced to make this information public in a surprising twist of events (not planned for - not good). That doesn't really leave them in good light - some people will be shocked, some will understand. Now they can't say too much to avoid interfering with the investigation but again can't ignore voices of their users. That's really tough one!
How it all happened - more juicy bits
Some details were published by Gimbus1xD himself and that makes really interesting read! First of all, he provided screen shots mentioned earlier and IRC log from the whole event, where you can see how those guys got in.
The log is not censored he says, because all the entry points shown there have been already patched. Anyway it's very interesting to see what critical, unimaginable 'faults' were there at wykop.pl!
Let's make a very short list of what was so horribly wrong there, shall we?
- Test/dev server placed on a public IP address for yet unknown reasons (Were admins/devs so lazy to have it so wide open to be able to work from home? Hello! VPN anyone?)
- Seems like no firewall at all - hands up, pants down, epic fail!
- Box not hardened, with interesting ports open (SSH, MySQL and others)
- MySQL had no password set at all - wide wide open!
19:55 < mepholic> no root password on sql 19:56 < mepholic> mepholic@abydos:~$ mysql -h 18.104.22.168 -u root 19:56 < xxx> oh wow 19:56 < mepholic> Welcome to the MySQL monitor. Commands end with ; or \g. 19:56 < mepholic> Your MySQL connection id is 73535 19:56 < mepholic> Server version: 5.1.34-0.dotdeb.1 (Debian) 19:56 < mepholic> Type 'help;' or '\h' for help. Type '\c' to clear the buffer. 19:56 < a> nice! 19:56 < mepholic> mysql> [...] 20:02 < mepholic> damn 20:02 < mepholic> there's absolutly no passwords in here 20:03 < mepholic> well like 20:03 < mepholic> oh fucking christ 20:03 < mepholic> mysql> show tables; [...] 20:10 < mepholic> mysql> SELECT COUNT(*) FROM users; 20:10 < mepholic> +----------+ 20:10 < mepholic> | COUNT(*) | 20:10 < mepholic> +----------+ 20:10 < mepholic> | 118275 | 20:10 < mepholic> +----------+ 20:10 < mepholic> 1 row in set (0.24 sec)
- Who on earth imports
oldREAL DATA into dev server, especially a public one?!
Hey, I don't know how about you guys, but for me running a company this way is EPIC FAIL in itself and qualifies for Pwnie Award in category of Most Epic FAIL. You would expect people who run quite popular site (at least popular in Poland) to know what they are doing. Were there any controls in place, anything at all? Doesn't look like it :-(
I would write more, but that doesn't make any sense - they have hard time already and most of the scrunity and plain anger will come from their own users... so let's learn from their mistakes and not make those again in the future, anywhere, on any site! Of course we'll see what will come up in this case, what will be the outcome.