Make sure you are not one of the 8 million users in the Gamigo hack

Did you want sea salt or kosher salt with that password?...That's right, we couldn't help ourselves on that one...
Did you want sea salt or kosher salt with that password?...That's right, we couldn't help ourselves on that one...

Eleven million hashed Gamigo passwords were leaked onto the internet. After de-duping, it still left more than 8 million email addresses and passwords belonging to Gamigo users. The original dump has been removed – but while it was available and within half an hour, ‘jaguar1na’ had claimed to have “found 94%” of the passwords. This might be true, or it might be untrue. If true, it suggests that 94% of the passwords were ‘easy’ to crack – the worst possible scenario would have been unsalted password hashes (salting is a process that makes standard hashes more secure).

“The passwords are supposed to have been obscured by one-way hashing,” ESET senior research fellow David Harley told infosecurity. ‘But if jaguar1na really did get 94% that fast, it doesn’t necessarily mean the database wasn’t salted: it might have been badly salted – maybe by not randomizing the salt for each password instance – facilitating the use of an attack table.

But jaguar1na’s claim also suggests that at least one person got hold of the list, and therefore no-one now knows how many ‘private’ copies are quietly circulating.

We also need to consider the delay between the original hack and the more recent dump: four months. The recent hack and dump of LinkedIn passwords happened much faster, leading to some suggestions that the hackers were effectively crowd-sourcing the cracking process. But a four-month delay suggests that the Gamigo hackers kept the spoils to themselves while they attempted to extract the passwords – and the likelihood is that they succeeded in the majority of cases.

“It’s likely that the dump was released because everything had been squeezed out of it,” explained Harley. This means that the rapid removal of the original dumped list should be of relatively little comfort: the Gamigo passwords are already available to criminals and are being used or sold on to other criminals.

Gamigo made its users change their passwords shortly after the original hack. But sadly, this too is likely to be of little comfort. Since the majority of users still reuse the same password over and over again, and email addresses are common ‘usernames’, those users’ Gamigo accounts may now be safe, but countless other accounts are exposed. There is no easy answer to the password conundrum. Secure passwords are difficult to remember – so users tend to use simple, easy to remember passwords that criminals find equally easy to guess or crack. And because of the sheer volume of passwords that are now are now needed on the internet, most users repeat the same passwords in many different accounts. If one website gets hacked, multiple web accounts are endangered.

However, we should be grateful that at least one copy of the Gamigo list was grabbed before it disappeared. Steve Thomas, the founder of PwnedList, downloaded the file before it was removed. PwnedList allows individuals to check, free of charge, if their email address appears in a list of known stolen credentials. That list currently stands at nearly 24 million stolen emails and passwords. It’s worth a visit to make sure you’re not included. If you are, change every single password you use on the internet to a new, strong and individual code immediately. And check your bank statement just in case.

What’s Hot on Infosecurity Magazine?