Rootkit.com Compromise Poses Risks to Other Sites

  Rootkit.com cracked passwords posted online
People who analyzed the recently leaked rootkit.com user database warn that the compromise also has implications for accounts on other sites due to password reuse.

People who analyzed the recently leaked rootkit.com user database warn that the compromise also has implications for accounts on other sites due to password reuse.

A week ago, the Anonymous collective hacked into the systems of a security firm called HBGary which threatened to expose its high-ranking members.

The group leaked tens of thousands of corporate emails and other confidential information, along with the user database of rootkit.com, a research website maintained by HBGary founder and CEO Greg Hoglund.

Because the passwords in the database were hashed with the vulnerable RC5 algorithm they were relatively trivial to crack.

Dazzlepod managed to recover the passwords for 64,489 accounts out of the nearly 81,000 in the database using the popular John the Ripper password cracking software.

"By randomly putting the passwords to test, many appear to be reused by the same user elsewhere on sites presumably of lower value to the user, e.g. Facebook, Twitter, forum sites, secondary email accounts, etc.," Dazzlepod warns.

For example, running the cracked credentials through the mechanize tool against Twitter resulted in 225 matches for @gmail.com addresses alone.

In reality the number is probably much higher and the problem extends to other websites. A few hundred accounts are more than enough to launch a mass spam or malware distribution campaign, and it wouldn't be unusual if this was to happen.

Following the Gawker hack in December and the leak of its 1.3-million-strong user database, large spam attacks using the exposed credentials were mounted on Twitter.

A recent data analysis that put the rootkit.com database against the Gawker one, determined that there was a password reuse rate of at least 31% between the two.

People who had a rootkit.com account and used a password common to other places are strongly advised to change it as soon as possible.

3 Comments