Darknet Diaries - Ep 33: RockYou
Episode Date: March 5, 2019In 2009 a hacker broke into a website with millions of users and downloaded the entire user database. What that hacker did with the data has changed the way we view account security even toda...y.This episode was sponsored by CuriosityStream. A streaming service showing non-fiction and documtnaries. Visit https://curiositystream.com/darknet and use promo code "darknet".This episode was sponsored by CMD. Securing Linux systems is hard, let CMD help you with that. Visit https://cmd.com/dark to get a free demo.To see more show notes visit darknetdiaries.com/episode/33.
Transcript
Discussion (0)
So let's start out with tell us your name and what do you do?
So my name is Troy Hunt. I am an Australian security researcher, I guess.
That term seems to be used a lot.
I run the data breach notification service Have I Been Pwned?
I write some online training for people and speak at events.
Troy's website, haveibeenpwned.com, is amazing.
Basically, if there's a data breach out there where the data is public, Troy knows about it. He collects all the breach data and puts it into his database and lets people search for their email address to see if their account has been in a breach.
Yeah, so I mean, a typical example, someone pops up and says, look, I've got the data.
It's often via an email or a Twitter DM.
And they say, look, would you like it for Have I Been Pwned?
They often send me a link to Mega.
So they'll put it on MegaNZ somewhere.
Sometimes they ask for attribution as well,
so some people want either the notoriety or the fame, as it may be.
I go through, grab that data, validate that it's actually legitimate,
then load it in, write it up, and publish it.
He's been running this site since 2013,
adding all the public and semi-public user account data breach details that he could find.
And his site has truly changed how we view our account security.
Yeah, just where do you even begin?
I mean, I guess one of the things that amazes me, I'm looking at the record count now, having just loaded the Dubsmash data last night, and it's almost 6.9 billion records.
And I remember when I started it, and there was like 155 million
records in there. And I was like, well, this is a lot of data. I wonder if it's going to be able
to get much bigger. That is, there have been 6.9 billion email addresses seen in data breaches
in the last 10 years or so. That's a lot of email addresses. So this is 6.9 billion breached accounts. So as an example, my own email address
has been seen 15 times. So of that 6.9 billion, 15 of them are me. So this is not unique email
addresses. Unique email addresses is more around the sort of 4 billion something. And I sort of
wonder if you're kind of doing the mental arithmetic here and going, well, hang on a moment,
like how many people are there out there that are actually connected to the Internet?
And you sort of realize that this is just a really significant portion of online accounts.
And you can imagine if you post data breach details for people to search on, Troy's going to get some interesting feedback.
I remember one company said, look, we've gone and done a domain search. The same three guys in the warehouse, just like on basically every porn site, we need to be really,
really confident that this information is accurate because we've got to go and have
some very uncomfortable chats with some of the guys in the warehouse. Can you imagine signing
up for a porn site with your work email address and then having it show up in a breach notification
to your boss? But there are so many breaches happening these days
that it's hard for Troy to keep up on all of it. Yeah. Honestly, at the moment, it is wearing me
out because it's so much work. It really dawned on me in January where I loaded one of these
credential stuffing lists, 773 million records. And I loaded it just as i got on a plane to go overseas
and and have a few days out in the snow with some friends and i just got thousands of emails and
tweets and media and like just i just got absolutely bombarded right at a time i was
trying to switch off and i i've actually started to become really conscious of the of the mental
toll it's taking if i'm honest uh so that that
bit is hard and then you know underlying that there's just this massively increasing stream
of data i would have multiple breaches a day sent to me of all different scale of course
and at the moment i'm sort of working through this this whole lot which was published a lot
just in the last couple of weeks
which had things like MyHeritage and Dubsmash and MyFitnessPal and all these.
There's about a quarter of a billion records there across different unique incidents.
And I need to verify each one of those and then load the data and send the emails
and then deal with the onslaught of feedback from it.
At this point, Troy has added hundreds of website dumps into his database.
Breaches today are really quite common.
But let's roll back the clock and dive into a breach that happened a long time ago,
but had a big impact on how we view security today.
These are true stories from the dark side of the internet.
I'm Jack Recider.
This is Darknet Diaries.
This episode is sponsored by Delete Me.
I know a bit too much about how scam callers work.
They'll use anything they can find about you online to try to get at your money.
And our personal information is all over the place online.
Phone numbers, addresses, family members, where you work, what kind of car you drive.
It's endless.
And it's not a fair fight.
But I realize I don't need to be fighting this alone anymore.
Now I use the help of Delete.me.
Delete.me is a subscription service that finds and removes personal information from hundreds of data brokers' websites.
And continuously works to keep it off.
Data brokers hate them because Delete.me makes sure your personal profile is no longer theirs to sell.
I tried it and they immediately got busy scouring the internet for my name and gave me reports on what they found.
And then they got busy deleting things.
It was great to have someone on my team when it comes to my privacy.
Take control of your data and keep your private life private by signing up for Delete Me.
Now at a special discount for Darknet Diaries listeners.
Today get 20% off your Delete Me plan when you go to joindeleteme.com slash darknetdiaries and use promo code darknet
at checkout. The only way to get 20% off is to go to joindeleteme.com slash darknetdiaries and
enter code darknet at checkout. That's joindeleteme.com slash darknetdiaries. Use code Darknet.
Support for this show comes from Black Hills Information Security.
This is a company that does penetration testing,
incident response, and active monitoring to help keep businesses secure.
I know a few people who work over there, and I can vouch they do very good work.
If you want to improve the security of your organization, give them a call.
I'm sure they can help.
But the founder of the company, John Strand, is a teacher, and he's made it a mission to make Black Hills Information Security world-class in security training. You can learn things like
penetration testing, securing the cloud, breaching the cloud, digital forensics, and so much more.
But get this, the whole thing is pay what you can. Black Hills believes that great intro security classes do not need to be expensive,
and they are trying to break down barriers to get more people into the security field.
And if you decide to pay over $195, you get six months access to the MetaCTF Cyber Range,
which is great for practicing your skills and showing them off to potential employers.
Head on over to blackhillsinfosec.com to learn more about what services they offer and
find links to their webcasts to get some world-class training. That's blackhillsinfosec.com.
blackhillsinfosec.com.
The common thread on where a hacker comes from is that many of them had a computer in their home as a teenager.
When a teenager has a computer, they'll probably want to play video games on it.
And some will be curious about those games and start playing with the mechanics of the game itself by exploring the files of the game.
Maybe changing one of them to see what it does.
They might then look online for cheats or even hacks to make the game do things it's not supposed to.
And this might fascinate a teenager even more.
And they begin to think about more things they can do with this.
Maybe write a program to automate the video game or find a way to make copies of it for friends.
The curious mind and the endless tunnel of the internet is a beautiful combination.
But having that while being a teenager can be even more powerful.
If you're in high school or college living at home
with no job and have an obsessive fascination with that hunk of metal in the corner of your room,
you can spend an insane amount of time on that thing. Literally staying up all night on the
computer, sleeping only a couple hours, and then going to class is not that uncommon. And as soon
as school's out, they'll go right back to the computer again. And it's not just playing video
games, but also learning HTML or how to code and finding different things to learn on the internet. A
teenager can easily spend 10 hours a day on a computer, and they can learn how to build things,
and how to break things. Making stuff and breaking stuff becomes the new obsession.
Malcolm Gladwell once famously wrote that you can master something if you spend 10,000 hours doing
it. And if you spend 10 hours a day for three years, that spend 10,000 hours doing it. And if you spend
10 hours a day for three years, that's 10,000 hours. Not everyone has this opportunity of owning
a computer, having an endless curiosity towards technology, and not having that much responsibility
as a teenager. And if you had this, consider yourself privileged. Because having access to
a world of information right there in your bedroom, and having the luxury of time to be
able to spend countless hours on it, is not something everyone has. But like I was saying, this is the common
story of how many hackers got started, or security professionals. They're really two sides of the
same coin. This is how I imagine Tom got started with computers. Tom was your average security
professional. He likely did the time of spending the 10,000 hours in front of a computer
and worked his way up getting a solid gig securing the network for a company.
He knew computers well.
Oh, and Tom's not his real name, by the way.
That's just the name given to him by the New York Times.
Tom could code, troubleshoot PC problems,
and he knew his way around databases really well.
And somewhere along the way of learning all this,
he got curious about hacking.
He started looking at websites to learn how you can do things to computers you really shouldn't be allowed to do.
He thought this was cool and wanted to learn more.
He found a website that had all kinds of tutorials on how to hack.
How to write a bot, how to write exploits in Python, and stuff like that.
The site had a forum, too, and he joined it and used it to ask questions and learn more about hacking.
The weird thing about the internet, it's so big, right? And there's so many corners and pockets of people in
each crevice of it that wherever you go it feels like everyone is doing this thing. If you go on
Instagram it feels like everyone's traveling. If you go on Facebook it feels like everyone's having
babies. And if you go on a hacker forum it feels like everyone is hacking. And I don't know if Tom
was just bored at work or felt mischievous
or just thought that because he hangs out in the hacker forums
that it appeared that everyone was doing this, but it seemed cool to hack.
I mean, these forums would sometimes have a post of someone showing you step by step
how a specific website is vulnerable to an attack.
And if you were quick enough, you could follow the steps and get in and look around.
So Tom was seeing this, a lot of this, And if you were quick enough, you could follow the steps and get in and look around.
So Tom was seeing this, a lot of this, and started to poke around at websites himself to see if he could find a hackable website.
The thing is, the internet is huge though, and it's hard to know where to look to try to find a website that's vulnerable.
At least, there wasn't a good spot back in 2009 when this story took place.
So Tom would visit websites he knew about and start checking to see if they were exploitable. He was going through a bunch of
websites that he could think of and testing if any of them were vulnerable to certain attacks.
He would go to these websites and click the login button and then put a single quote in for the
username and password and hit login. The website should come back with a message saying invalid
login, user not found,
or something like this. But one website he did this on said something else. Instead, it looked
like the website had crashed. The whole page went blank and it just displayed a little error saying
you have an error in your SQL syntax. You might be thinking, wait, how is it that if you put a
single quote in for the username and try to log in with just that,
it gives you an error saying your SQL syntax isn't right?
Well, I'll tell you.
SQL, or often called SQL, is the language used to talk to databases.
Websites that have users that can log in have a database where the user information is kept.
And when a user tries to log into the site, the website has to ask the database if that user is in the database. And in this case, Tom asked if there's a user that's just
a single quote exists. And this single quote was passed right into the database query. But SQL
treats single quotes special. Web developers should not trust inputs from the user and should
sanitize them and parse it differently.
But when Tom saw the website was telling him he had a SQL syntax error,
he knew immediately what this meant.
The website was not sanitizing its user inputs properly,
and he could issue SQL commands and query the database right through the username field of the login page.
This is known as SQL injection, and it's been a known
attack since 1998. But still, even today, web developers struggle to properly sanitize user
inputs, and it's constantly being one of the biggest threats to websites. So Tom saw this
website was vulnerable to SQL injection and started seeing what kind of fun he could have.
Oh, I should say this website he found the SQL injection on was csfd.cz, which is like IMDB, but in the Czech Republic. It's an online movie database in Czech.
So he started passing SQL commands to the database through this login page. At first,
he discovered the database name, which was called public. Okay, next he looked at the tables within
the database. There were 42 tables here. Things like forum, posts, film names, film ratings, and things like that.
Not a big deal.
This is all public information that you could theoretically scrape from the website if you wanted to anyways.
But then he saw a table that caught his eye.
Uzi Vitella, which is a Czech word meaning users.
He quickly issued a command to see the contents of this users table and sure
enough it had all the user data. He saw user names, hashed passwords, and email addresses of every user
on the site. Now keep in mind he's doing all of these SQL queries from the login page of the
website. He's not even a user on the site and still he could see all of the database content.
This was a big deal for this fairly popular Czech website to have been accessed by Tom like this, and this put a big smile on Tom's
face. He looked to see how many users there were on the site, and there were 187,000. This included
their login name, email, and password hash. A password hash is not a password, it's what the
passwords look like after you run it through an algorithm called a hash. This is how you should store passwords, hashed. And a large
list of password hashes like this could be cracked over time. So he started downloading them all,
and he spent a few weeks looking around the database and site. Then he'd go to work, do his
day job, and then come home and continue poking around this website. Until one day, Tom lost
access to the website and saw an email from
this Czech movie database, which was sent to all customers. It said they are migrating to a
different database with different password storage. Something about this email upset Tom.
He thought they were lying to their customers and hiding the fact that they've been breached.
So Tom wanted to tell the world that he hacked this site and that's why they're wanting to
change databases. So he decided to make a blog post. But this site, and that's why they're wanting to change databases.
So he decided to make a blog post.
But where's a safe place to post about hacks?
WordPress and Blogger sometimes took down illegal content, so that wasn't going to work.
Registering his own domain and hosting it himself, I don't know, just wasn't a good option.
So he gave Baywords a try.
Baywords was a simple blogging platform, and it was started by the same people who started the Pirate Bay. And it was meant to be a free speech zone for people who wanted to
blog about things that might be taken down by other platforms. So Tom made a Baywords account
and makes his first blog post under the name IGIGI. His post said the csfd.cz website has been hacked.
And he said if you get an email from the company saying they're migrating servers, don't believe it.
And that they were trying to recover from Tom breaking in and downloading all their stuff.
And Tom also said his access was terminated, but he still had two other ways into the network.
He then goes on to post sample snippets of what he's stolen.
This included all the names of the tables, as well as 20 username and password hashes.
Then he spread his post around a few hacking forums to show what he did. A few people commented on this post,
some calling him an idiot, others saying he had no ethics. Someone else encouraged him to post
the entire database. I don't know what the websites themselves did, because I couldn't
find any news stories about this breach other than Tom's post. But this was great fun for Tom.
He really enjoyed the feeling of hunting for insecure websites
and breaking into them and looking at their databases.
So he kept looking for more.
And two days after posting that he hacked into the Czech movie database website,
he made another Baywards post.
This time saying he hacked into a Slovakian architecture firm.
And he posted a sample dataset from there.
The next day, another post,
saying he hacked into a Czech e-commerce store and this one was actually storing their passwords
in clear text. Then the very next day, he hacked into another Czech website, which posts dark humor
content, videos and jokes and stuff like that. In fact, this was a site he said he actually liked,
so he had a lot of fun hacking into it. Tom was on a terror, finding website after website vulnerable to SQL injection
and hacking it, downloading the user database,
and posting it like a trophy to his B-Words blog.
But he wanted more. He needed more.
This hacking stuff was a wild rush of adrenaline and fun.
So much different than his plain old day job.
And it was getting him notoriety.
I have a feeling Tom was from the Czech Republic or Slovakia because all the websites he hacked were all there. It's
just a lot harder to hack a website that's in a foreign language. One of the hacking forums he
liked to go to had a section where people would post vulnerabilities they found on websites.
One of these posts said that rockyou.com was vulnerable to SQL injection.
RockYou.com was a popular American website at the time.
They built widgets and tools for social media.
For instance, they built a Facebook app called Superwall back in 2007.
And this gave you the ability to post more cool stuff to your Facebook wall,
like videos and images and stuff.
People loved this app and it grew in popularity.
Over 100,000 people installed it and they liked to decorate their Facebook pages in unique ways.
Now to use RockYou apps, you had to make an account at RockYou.com.
But because it was so integrated into your social media,
RockYou also needed access to your Facebook or MySpace pages too.
And they were also making social media games too.
They were killing it on Facebook and MySpace with tons of great apps to enhance the social media experience.
RockYou was getting invited to exclusive events and getting early access to API features and abilities. They were killing it on Facebook and MySpace with tons of great apps to enhance the social media experience.
Raki was getting invited to exclusive events and getting early access to API features and abilities.
More and more people started using the Raki apps.
The company was looking to be a promising startup.
They raised $10 million in funding, then another $3 million, and they just kept getting more and more funding.
Hiring more employees too, and they were aggressively becoming a successful startup, and their popularity was booming.. RockU was growing fast but they were making some mistakes along the way.
One mistake that RockU made was an email they sent to all 450 of their ad partners talking about an
upcoming change. The mistake was that they emailed them all in the CC field and not the BCC field.
So all 450 of their ad partners knew what their competition was and
many of them were Facebook ad makers themselves. Zynga was on this list and they took advantage of
it and started emailing many of the people on the list asking if they'd like to come work at Zynga.
There was a huge reply all email chain that resulted in this and it was bad and hilarious.
A vice president of Rakyu came out and apologized for the email and promised to take privacy
more seriously and correct the issue.
But guess what? Two months later, they did the same thing again, accidentally CCing the entire ad partner list.
And then they did it again not long after that.
This began infuriating some ad partners.
Mistakes were made, that's for sure.
Another security issue that Rokyu had was their password policy.
Your password had to be a minimum length of five characters long and could not include any special characters.
This is really weak, even for 2009 standards.
And Rokyu would be made fun of for that over and over.
So, in November of 2009, when someone posted in his hacker forum that Rokyu.com was vulnerable to a SQL injection,
this caught Tom's interest big time.
He immediately started checking for himself,
and sure enough, he was able to get right in.
And this was a massive database.
Forget about the 187,000 users
and that Czech movie database website.
RockYou had millions of users.
Tom was blown away by this.
Such a big and fast-growing company with such a simple vulnerability.
In fact, the SQL injection Tom used to get in
was very close to the same one posted in a frack magazine in 1998.
And so 11 years later,
RockU.com was open to this same exact vulnerability.
They didn't have their users' best interests in mind.
So Tom started going
through the rocku.com database and taking all of the user data he could find, downloading hundreds
of thousands of logins, which quickly became millions, and then tens of millions. This took
a while for him to get all this, and he would spend days downloading all this data out of the database.
And what he does with that data will change the way we view password security,
even today. spycloud.com to check my darknet exposure and was surprised by just how much stolen identity data criminals have at their disposal. From credentials to cookies to PII. Knowing what's
putting you and your organization at risk and what to remediate is critical for protecting you
and your users from account takeover, session hijacking, and ransomware. SpyCloud exists to
disrupt cybercrime with a mission to end criminals' ability to profit from stolen data.
With SpyCloud, a leader in identity threat protection, you're never in the dark about your company's exposure from third-party breaches, successful phishes, or info-stealer infections.
Get your free Darknet exposure report at spycloud.com slash darknetdiaries.
The website is spycloud.com slash darknetdiaries. The website is spycloud.com slash darknetdiaries.
Tom wasn't the only one that noticed the forum post
that Rakyu was vulnerable to SQL injection.
Someone else had noticed this too.
So my name is Amakai Shulman.
And by 2009, I was working with Imperva,
a company that I founded in 2002.
Emekai has a strong background in security.
In fact, he started out in Unit 8200, the secret Israeli military division.
Yes, I spent eight being on the defensive side in the military was that when you're in the military, you think you can command
people to do things. And you go
to application programmers and you tell them
you have to write secure code.
That's an order. You have to write secure code. You know, that's an order.
You have to use prepared statements so you don't get a skill injection.
That's an order. And when you see that this kind of practice cannot be enforced in the military, you get to understand that it is even less effective in commercial environments.
So sometime after Amakai finished his time in 8200, he went off and co-founded a company called
Imperva, which helps companies secure their applications. He was good at defending the
network and put his expertise to use. So in December of 2009, a security researcher at Imperva saw the forum post that Roku.com was
vulnerable to a SQL injection. It notified Roku of this vulnerability, and Roku quickly got to
work fixing the problem. They worked all weekend to resolve this SQL injection on their site,
but while doing so, they realized it was too late. Rokyu had seen that someone else had been in the site and downloaded a copy of their entire database.
A small news article came out about Imperva warning Rokyu of this vulnerability.
Tom, the hacker, saw this article and went crazy.
By this point, not only did he hack into the site, but he had downloaded their entire user database.
Tom downloaded 32 million user accounts from Roku.com.
He looked at the 32 million accounts he stole
and then looked at the article which said the vulnerability was fixed.
And he thought, well, it's too late. You've already been hacked.
The privacy policy on Roku's website was not the best.
First, it says the company makes reasonable efforts to keep its users' data safe,
but the security is not ensured and you should use the site at your own risk.
It actually says when you give any data to RockYou, you are doing so at your own risk.
Then the policy goes on to say that if RockYou learns of a breach,
they may contact their customers to tell them.
Well, Tom had breached them and they weren't notifying their customers. He wanted to expose their weak security and get them to admit that they've been breached.
So what does Tom do? He writes another post on his Baywards account. This being the fifth post
of the month of him hacking into various websites. On December 15th, 2009, Tom posts to his blog
saying that he's taken 32 million accounts from the rocku.com website,
and he shows us a little snippet of what he took. Then he even taunts Rocku by saying,
don't lie to your customers or I'll post everything. Someone saw this Baywards post and tweeted,
tipping off a few news outlets of the breach. TechCrunch was the first to report on it,
saying that 32 million user records were stolen from rocku.com and urges the readers to change their password immediately. The journalist posted this right
away and then examined the snippets from Tom's dump closer and saw something else.
Rocku had been storing the user passwords in clear text. What Tom posted a snippet of wasn't
a hash of the user's password, it was the actual passwords. He only posted about 24 user details,
and he slightly obscured the password. But still, what Tom had was 32 million usernames with their
password. This was a huge lack of security on RockU. Storing user passwords in clear text is a
terrible idea. You might think, oh, well, that's 2009. Times were different then. But the Linux
operating system had been already hashing their passwords for 10 years by then. So it was not a fringe idea to hash passwords.
And the thing is, we all reuse passwords, especially back in 2009. So these passwords
might also work on the user's email, social media, and banking logins. Tom even wondered what percent
of these people have PayPal accounts and if the password would work there too. And if he just took
$10 from each of those accounts, he'd probably have a lot of money. But something even
more shocking was shown in the small snippet Tom posted. Not only was RockYou storing logins to
their own site, but they were also storing the login and usernames for social media sites too.
Because if you wanted to use a RockYou MySpace app, you'd have to log into both MySpace and
RockYou to use it. So RockU would
capture these MySpace logins and store them on their own site, again in clear text, not encrypted,
not hashed, not secure at all. TechCrunch saw this, posted a second article, and they reached
out to RockU asking when they're going to tell their customers of this breach. And within 24
hours of TechCrunch writing the article, Roku did send a notification
to its customers saying there had been a breach and that a person took usernames and passwords.
They didn't say anything about the social media usernames and passwords, and they didn't mention
the passwords were stored in clear text. But they did make sure to say several times that they take
security and privacy very seriously. News of this breach spread fast. Roku was a popular site,
and in fact, by that time in 2009,
this was around the fifth biggest breach of all time.
32 million records was a lot.
So this was big news.
Tom looked through the 32 million username and password records,
and he had wondered what he should do with it.
He liked looking at what passwords people were using.
A lot were just their first name or band name they like.
This fascinated Tom,
and he kept looking at people's password choices. Of course, a lot of them were really bad since the
minimum length had to be five characters and no special characters were even allowed. Tom thought
if he's finding this interesting, maybe other people would find this interesting too. So he
extracted only the passwords out of the dump, all 32 million of them, and put them in a text file.
There were no usernames, no email addresses, just 32 million passwords.
And he posted this to Rapidshare, a popular file sharing site, and he told a few people in a hacker forum about it.
Emakai noticed this and grabbed a copy of the password list because this could be really interesting. I think, at least for me, the first time that we saw that many passwords
in a single file. And we said, OK, what can we do with it?
When the password list got in the wild, some news sites reached out to Imperva for another comment.
But for Amakai to go through 32 million passwords was going to take a long time.
And I have to say our PR agency was not happy about it because I told them it's going to take a long time. And I have to say our PR agency was not happy about it because
I told them it's going to take time and we're not going to have a comment on this in two hours.
It will take us at least a week to process the file and understand what we can
find and learn from it. So they were not happy to begin with.
This got downloaded by many other hackers really
quick. This was hot stuff. Like I said, this was around the fifth largest breach at the time. And
since these passwords were in clear text, this was an amazing data set of words to try when cracking
passwords. Previously, there were simple dictionary words lists, but now this is a massive list of
actual passwords people are using. RapidShare LinkedIn didn't stay up long.
It was taken down pretty quick, and it didn't matter.
The password list got out in the wild,
and at that point started getting shared and spread
among many hackers and security professionals online.
Emakai and Imperva started making sense of the password list.
They looked at what were the most commonly used passwords on the list.
Here, I'll read them to you.
Each one of these passwords I'm about to read
has at least 10,000 people each who use this password. 1, 2, 3, 4, 5, 6. 290,000 people used
that password. 1, 2, 3, 4, 5. 1, 2, 3, 4, 5, 6, 7, 8, 9. Password, I love you. Princess. 1, 2, 3, 4, 5, 6, 7.
Rock you. 20,000 people used rock you as their password. 1, 2, 3, 4, 5, 6, 7, 8. ABC 1, 2, 3, 4, 5, 6, 7. Rock you. 20,000 people used rock you as their password.
1, 2, 3, 4, 5, 6, 7, 8.
ABC 1, 2, 3.
Nicole.
Daniel.
Baby girl.
Monkey.
Lovely.
Jessica.
6, 5, 4, 3, 2, 1.
Michael.
Ashley.
Qwerty.
1, 1, 1.
1, 1, 1.
0, 0, 0.
0, 0, 0.
Michelle.
Tigger. Sunshine. Chocolate. Password with the number one at the end.
Ah, very clever.
Only 11,000 people thought of that one.
Soccer, Anthony, Friends, Butterfly, Purple, Angel, and Jordan.
This was an eye-opener for us. That was, you know, when you got that, you know, large proportion of entries that corresponded to a relatively small number of unique passwords, that was like an aha moment for us.
This was incredible data. It was such a rare glimpse into what passwords people are actually
using in the real world on a massive scale.
Nothing like this had ever been seen before. Emeka had found that if you take the top 5,000
most frequently used passwords, you could crack 20% of all passwords.
So that's a huge thing because it changed the way that we were thinking about credential theft attacks
or what would attackers do with this kind of file.
Or put another way, if I wanted to get into a single user's account,
not on Rocky, but on any site, Facebook, Gmail, a bank,
if I try each of those top 5,000 passwords,
I have a 20% chance of getting into that single account.
Exactly.
So either way you look at it, you understand that, you know, relying on the fact that attackers
will use high volume, noisy, brute force attack against every possible password is, you know, not the way to detect attacks.
And I do think that once we understood that, it was actually easier for us to really detect more attacks than we thought were in the wild. And again, I think
that this publication with the large number ignited the whole discussion about password strength.
As you can see, this was a goldmine for hackers to have.
With a password set like this, the likelihood of them hacking other accounts significantly went up.
Hackers were able to use this password list to get into many accounts after this.
But at the same time, it gave defenders the ability to know how to detect such an attack.
Because now, we know attackers really don't need to try millions of potential passwords.
They can just try the top 5,000. Or maybe the top 1,000, or the top 500, or even the top five, and still have a percent chance of getting in. When we came up with the report, like almost two weeks after the incident, it turned
out that the New York Times showed a lot of interest, and it got us much, much, much more publicity.
So PR people were not that mad at the time. This article actually hit the front page of New York Times and it said,
if your password is still 123456, it might as well be hack me.
Roku sent more notifications to its customers, outlining certain steps they're taking to ensure
security going forward. And they started hashing their passwords after that too. But this breach caused
a major loss of customers. Many people were deleting their accounts and avoided using their
apps. Their growth and climb to success had stalled and was actually detracting.
About a year after the breach, Rokyu announced a massive amount of layoffs. Many people were let
go as the company restructured
its resources, and the co-founder himself stepped down from his position as CEO. RockU was determined
to recover though, and rise up again. One of their arch rivals was bought out by Google, and RockU
had gotten even more funding from venture capitalists. They used it to buy up a few small-time
video game studios, and continued to create apps for social media.
And by another strange turn of events,
this hack was mainstream enough that it was actually a question in a game show.
All right, you've got $1 million.
I've got seven questions.
Let's play the Million Dollar Money Drop.
Fox created a game show called Million Dollar Money Drop.
A husband and wife couple is asked some trivia questions and they have a chance to make
a million dollars. One couple
was doing really well and had worked their way up.
If they could answer this next question correctly,
they would win $580,000.
Let's take a look at the questions.
And it was
something like, um,
in the Imperva report, what was
the most common password? Something like, in the Imperva report, what was the most common password?
Something like that.
Okay, pop quiz. Let's see if you're listening.
Do you remember the most common password I mentioned a few minutes ago?
Here are the answers to pick from.
I love you, password, and 123456.
And the contestants, they got the answer wrong they put all their money on password but the right answer was one two three four five six they ended up losing 580 000 and then six months later
the contestants sued the broadcasting company because
they claimed it was a tricky
question. They were claiming that the way the
question was worded seemed like they were asking
what's the most common password, and they didn't
know the report only covered the Roku database.
Which I have to admit is a really
weird question, even for me who follows
security. To mention a specific security
report by name, who's going to know what's
in that report off the top of their head?
Strangely enough, this game show had another lawsuit against them.
On a different episode, the contestants had an $800,000 question,
but got it wrong.
And then when they went home, they looked it up
and found they were actually right.
They sued the game show, which admitted they made a mistake
and invited them back on to compete again.
But neither of these contestants got anything for suing the game show.
Because Fox canceled the entire game show, because Fox
canceled the entire game show a year after it debuted. A couple class action lawsuits sprang
up against Rokyu, one in Indiana and the other in California. The California one went on to court,
and Rokyu asked the judge to dismiss it entirely. Rokyu was claiming that while the customer's data
was stolen, the customers couldn't provide any evidence showing that this had caused them any harm.
And this is what a lot of class action lawsuits come down to after a breach,
whether there's any identifiable damage done to the customers or not.
But the judge disagreed with Rock You and didn't dismiss the case.
The judge said that while there wasn't any visible harm done to customers,
there was an unidentifiable amount of harm done.
The victims felt violated by having their private information exposed like that. And to the judge, that was an unidentifiable amount of harm done. The victims felt violated by having
their private information exposed like that. And to the judge, that was enough.
RACU settled this class action lawsuit by paying the plaintiffs $2,000 and also covering their
lawyer fees. While it seems like a small amount, it kind of changed the way lawsuits were handled
after this. Simply by having your personal identifying information stolen is now worth
some money. So it's just kind of a warning to other online companies.
After that lawsuit was over, the Federal Trade Commission had a few things to add.
The FTC investigated the breach and found that Roku had stored almost 180,000 children's records too.
These are people who are under 13 that had accounts on Roku's website.
When handling the children's data, extra security precautions have to take place, which fall under the Children's Online Privacy Protection Act. The FTC determined
that RockU had known that children were users on the site, and they didn't protect their data,
which put them in violation of these rules. Specifically, the rules they broke were
not obtaining parents' permission before registering on the site, and not protecting
the confidentiality and security of personal identifiable information of children. Because they violated these rules,
the FTC fined RACU $250,000. Not only that, they demanded RACU delete all information relating to
children under 13, but they also must undergo security audits from a third party every other year for the next 20 years. Violating
any of this will cause even more fines. Raku continued to build up its reputation. They
purchased more game studios and made more apps after that. They hired more key people and had
some fairly successful games. But something about their business model didn't work as well as they'd
hope. They struggled to keep things going and had some internal failures.
I started researching the story earlier this year and I went to Rakio.com's website last month
to check it out.
It looked sharp, hip, trendy,
and they were talking about their future.
About eight months ago,
they got another $10 million in funding
and they just acquired a company
called Mom.me in January.
And they were announcing
they're going to upgrade their servers
in the next coming weeks.
It looked like good things were ahead for Rakio. But a few weeks ago, I went back to the website,
and it was totally down. It's been down for three weeks now. If you try to go to rockio.com right
now, it says error connection reset. And this is odd, because the site was just there last month.
I turned to look for their Twitter account and it's been deleted.
Their Facebook page is also gone.
It's like their entire company vanished right in front of my eyes.
I did some research and I found what's going on.
On February 13th, 2019,
RockU filed Chapter 7 bankruptcy in New York State.
They seem to have quietly closed up shop.
And it's really weird because there's just no mention of this in any tech publications or news sites at all.
But from the looks of it, they may be gone forever.
I don't know why the company had done so poorly in the last 10 years since this breach,
so I'm going to guess there were a series of other problems they faced and they just couldn't
overcome. Perhaps a few bad investments or poor leadership decisions. It looks like they were running some
poker and bingo games that paid out with real money, but a lot of people never got paid and
got mad the site shut down while owing them money. It even says in the bankruptcy documents that
there's over $500,000 in unpaid customer winnings. So what happened to Tom, you might ask? I don't
know. After he posted this rocky breach data,
he kept blogging for a few more days after that.
And then he did an interview with a news outlet
and then disappeared, seemingly forever.
And we don't even know his name.
He went by IGIGI on his blog posts
and Tom is just the name the New York Times gave him.
There's never any news of him getting caught
or facing charges.
Tom said in the interview, they're now hunting for me, but why? I didn't do anything wrong.
They should now be in jail because they put all those people at risk. What I did was just for
illustration. Tom wants us to think about who the real villain is here. He thinks it wasn't him.
Rocky thinks it wasn't them. Can you be the victim and the villain at the same time?
These are good questions.
I asked Troy Hunt what he thought of the punishment that Rocky got from this.
It's an interesting question because for me, particularly around things like class actions,
there's always this question of impact.
So if we're talking about individuals out there that are taking part in a class action,
I guess I would like to assume that in order for
there to be retribution from a company, there needs to have been some sort of damages. And the
hesitation I have with Roku is that when we're just talking about a whole heap of passwords
not associated to individuals floating around, it's probably very hard to sort of draw that back
and say, ah, I had my identity stolen because of Rokyu. Well,
the only way that really makes sense is if you're using that same password everywhere and someone
guessed what it was. So I'm a little bit hesitant on the class action side of the thing, unless
there's a really clear line of attribution back to the original incident. I'm more supportive of
regulatory penalties where we have someone like the FTC
being able to say, look, you guys just simply didn't do enough to protect your customers.
We're going to ping you at that level. So I'm more supportive of that. And if I'm honest,
I'd like to see it happen a lot more. And this data breach changed the way we think about password
tracking even today. RockU has sort of been one of those canonical sets of data
that people have had for many, many years.
And I guess the interesting thing is now, like a decade on,
we know that people are still using the same sorts of passwords
that they were back then as well.
So I guess the long-term value of RockU is still there.
For years, the data Tom posted was the very best password list
you could use when cracking passwords.
In fact, it became so good and passed around so much that it became included in many popular hacking programs and OSs.
Even today, Kali Linux, a popular hacking operating system, comes with the Roku password list on it by default.
You can find it right there in the user share words list directory.
I've personally used this words list to crack many passwords in my time.
And now I know where it came from.
So bye, Tom.
Thanks for all the cracked passwords.
You've been listening to Darknet Diaries.
A big thanks goes to Amakai Shulman.
The company he helped start, Imperva,
was just acquired a month ago for $2.1 billion.
But Amakai left the
company just before this acquisition. Another big thanks goes to Troy Hunt. He recommends to use a
unique, complex password for every website you visit and to check haveibeenpwned.com to see if
your email has been seen in a breach. For show notes and links, check out darknetdiaries.com.
Please tell your friends about this show. It always really makes my day when I hear you do that. This show is made by me, The Dark Spark, Jack Reciter. Theme music is made
by The Hash and Salted, Breakmaster Cylinder. Look for a new episode in two weeks.