Collective investigation: how did the Yandex account passwords database appear?

After reading the news about the leak of the Yandex password database and the official Yandex statement along with the comments, it became clear that the situation is confusing and some people think that the database has leaked from Yandex itself.

Seeing the mistrust of users, I decided to compare all the facts and logically identify the most likely option for the base to appear:

1. Bruteforce;
2. Phishing;
3. Cross check;
4. Leak from users' computers;
5. Leak from Yandex;
6. Leak from special services;
7. The base has been compiled over a long time from various sources;
8. Via mobile operators (if the phone is attached).

1. Bruteforce


Directly brute-forcing passwords of the form “51iII% jch ^ f6” is practically unrealistic or impractical, even if there were no protection against brute force. Here, I think, comments are superfluous.

2. Phishing


Some users in the comment claim that they have not used the mail since 2005, or even forgot their password long ago . If these statements are taken for the truth (a cursory inspection of the profiles does not show anything suspicious), even if phishing occurs, then this database is not a single case of mass phishing.

3. Cross check


Again, the comments claim that the password was only in the mail and on the hub It is unlikely that they broke the password from the Habr, and then from the mail. Even if you broke it from a hubr, then this is not a mass phenomenon (if someone also has this option excluded - write in the comments).

4. Leak from user computers


Although this option is possible, but still there are doubts that some users might have stolen the password in this way. More convincing examples are needed (if there is, write in the comments).

5. Leak from Yandex


There are no facts. The only way to refute is to prove the opposite. You may notice that if Yandex stores password hashes, then some passwords would have to be brute force for a very long time. Example: for an md5 hash without a salt from a password with latin small + large + numbers + special characters 10 characters long, there are 96 ^ 10 = 66483263599150104576 options. To sort through so many options, for example, using such a program and a powerful video adapter (take, for example, a speed of 5000M / s) it will take (96 ^ 10/5000000000/60/60/24/365) about 421 years or 421 powerful video adapters and 1 year. This password from the database “03jkd64k57d6t9h6 $! X &” contains 20 characters, which will require much more time or computing power.

6. Leak from special services


This is some kind of trash base. The special services would have a better base. Below are my comments.

7. The base has been compiled over a long time from various sources


The most likely option in my opinion. Below are my considerations.

8. Via mobile operators (if the phone is attached)


Given that not stupid people who are knowledgeable in information security live on Habré , it can be assumed that the passwords were stolen somehow through a mobile operator. I don’t know whether there was a mass phenomenon or not, but recently a friend told me about how a lot of money was stolen from him from Yandex.Money. Previously, the telephone had stopped finding his network. those. SIM card stopped working, as if it was restored in the operator’s office, and the old one was blocked. During this period of time, money was stolen. The operator said that there was no information about this assumption - and issued the SIM card again, because the old one didn’t work. There are no proofs, maybe someone will share if this is a mass phenomenon.

My mini investigation


At first I tried to search for passwords with special characters at random, after which I googled these boxes - they are not found anywhere on the Internet. I decided to use the small Vkontakte loophole that I had discovered a long time ago: I checked who these mailboxes were registered with on Vkontakte in the following way:

1. Click password recovery;
2. Enter the mailbox;
3. We are asked if this page is the one from which we want to reset the password - and displays the First Name Last Name with an avatar and city;
4. In the search for vk.com, we search by name, surname and city and check the profile picture;
5. If it doesn’t find it, google by name and surname, iterate through the vk.com pages from the search, check the profile picture;
6. If it doesn’t find it, use the Google search in the pictures and copy the user avatar link, if necessary, add the name and surname to the search;
7. Profit.

Result:

hellraiser84@yandex.ru: 03jkd64k57d6t9h6 $! X &
iurusov.tolya@yandex.ru: hdkYwk * ^ 2v2

Users are blocked or the page has been deleted. I did not look for links to pages.

alisa.arhangelskaya@yandex.ru: 51iII% jch ^ f6
vk.com/id108362638

super.denvgj2010@yandex.ru: jgbkcvbf ^ sdlfewi
vk.com/id103201231
(Google didn’t find a page, but Google did).

kijaka@yandex.ru: s1gh57NTS %% ^%
vk.com/id64404050
(Found on the profile picture via Google image search + entered the name last name).

Two pages are blank, some spam on the first.

There are no particular patterns here, you need to check more pages, but I still managed to identify some pattern on the basis of other data: a suspiciously popular password was discovered , after which another user noticedthat logins for these passwords are automatically generated. I noticed that they are scattered in different parts of the file randomly (as an option: maybe not randomly, because maybe the mailboxes go in the order of registration time. But, considering that there are 2005 mailboxes in the database and there are recently registered ones , this option is unlikely and other options too). It seems that these mailboxes were specially mixed throughout the database so as not to arouse suspicion and confirm statistics that there are a lot of valid addresses and the database is not fake.

To confirm the identical origin of these addresses, we check the data mailboxes in Vkontakte as described above:

vla13854625@yandex.ru
dmi46685101@yandex.ru
dmi16144725@yandex.ru

They are registered with the same name, which once again hints that these mailboxes are specially mixed with the rest to increase the size of the database.

What is the result?

It seems to me that Yandex is really not to blame. I tried to put all the facts together, reason logically and identify some patterns that can at least indirectly prove something.

I invite everyone to discuss this issue together. Give arguments for and against these assumptions or offer your own.

Also popular now: