[BreachExchange] Password data for ~2.2 million users of currency and gaming sites dumped online

[Destry Winant]

https://arstechnica.com/information-technology/2019/11/password-data-dumped-online-for-2-2-million-users-of-currency-and-gaming-sites/

Password data and other personal information belonging to as many as
2.2 million users of two websites—one a cryptocurrency wallet service
and the other a gaming bot provider—have been posted online, according
to Troy Hunt, the security researcher behind the Have I Been Pwned
breach notification service.

One haul includes personal information for as many as 1.4 million
accounts from the GateHub cryptocurrency wallet service. The other
contains data for about 800,000 accounts on RuneScape bot provider
EpicBot. The databases include registered email addresses and
passwords that were cryptographically hashed with bcrypt, a function
that's among the hardest to crack.

The person posting the 3.72GB Gatehub database said it also includes
two-factor authentication keys, mnemonic phrases, and wallet hashes,
although GateHub officials said an investigation suggested wallet
hashes were not accessed. The EpicBot database, meanwhile, purportedly
included usernames and IP addresses. Hunt said he selected a
representative sample of accounts from both databases to verify the
authenticity of the data. All of the email addresses he checked were
registered to accounts of the two sites.

Another indication that the data in the file belongs to GateHub
account holders: this Twitter post. It came from Aashish Koirala, a
self-described software developer who said he recently received a
notification from the identity protection arm of consumer credit
reporting service Experian. The advisory, Koirala said, notified him
that "my credentials for @GateHub were found compromised on the Dark
Web."

While there were 2.2 million unique addresses in the two dumps, it's
possible that corresponding password hashes or other data isn't
included with each one.

Unauthorized access

The Gatehub account data, which was posted to a widely visited hacker
site in late August, came three months after the cryptocurrency
service reported that it had been hacked. The attackers, GateHub said,
had stolen—or at least tried to steal—a wealth of sensitive
information for more than 18,000 user accounts. The wording of the
post left unclear exactly what data beyond access tokens was
successfully obtained.

GateHub officials wrote:

As previously suggested in our investigation update, we believe the
perpetrator gained unauthorized access to a database holding valid
access tokens of our customers. Using these tokens the perpetrator
accessed 18,473 encrypted customer accounts, a very small fraction of
our total user base. On affected accounts, the following data was
being targeted: email addresses, hashed passwords, hashed recovery
keys, encrypted XRP ledger wallets secret keys (non-deleted wallets
only), first names (if provided), last names (if provided).

GateHub's disclosure went on to say that site officials notified users
whose accounts were accessed and generated new encryption keys and
re-encrypted sensitive information, such as ledger wallet secret keys.

The posting of the database means the breach that the wallet service
disclosed in July was much bigger than previously thought. Rather than
obtaining only access tokens, the attackers also took 2FA keys, email
addresses, password hashes, mnemonic phrases, and possibly wallet
hashes. What's more, the breach affected as many as 1.4 million
GateHub users, not just the 18,473 mentioned in the disclosure. In an
email, an unnamed member of the GateHub security team wrote:

We are aware of a database posted on RaidForums whose author claims
that it belongs to GateHub. The alleged GateHub database is being
thoroughly examined by our team, therefore, we are unable to confirm
its authenticity at this time. We will make sure to keep you posted of
any updates.

>From what we have gathered so far, it does not contain wallet hashes.
As mentioned before, we are still verifying its authenticity.

One of our initial responses to the cyber attack was to introduce
re-encryption to all GateHub accounts. With the new re-encryption, all
GateHub accounts were re-encrypted and all of our customers had to
change their passwords. This was introduced in July 2019.

The statement didn't explain why the investigation has been unable to
verify the authenticity of the data 25 days after it was posted and
four months after it was first accessed. It was also unclear precisely
what officials meant by "re-encrypted."

"There are references to PGP [in the database]," Hunt told me. "There
are what appear to be PGP encrypted strings. I'm not sure if that's
what they rotated. Are they talking about rotating cryptographic
hashes, or are they talking about this section of PGP which is wallet
related?"

Change passwords, mnemonic phrases, etc.

The EpicBot leak, meanwhile, was posted to the same hacker forum on
October 25, the same day as the GateHub dump. Hunt said it contains
roughly 800,000 unique email addresses, along with usernames, IP
addresses, and bcrypt-hashed passwords. EpicBot officials didn't
respond to requests to comment for this post. I couldn't find any
mention of a breach on the EpicBot website.

FURTHER READING

Once seen as bulletproof, 11 million+ Ashley Madison passwords already cracked
Both sites' use of the bcrypt hashing function, assuming it was
implemented correctly, is encouraging. Bcrypt is so compute-intensive
that it would require years for even powerful graphic-card equipped
clusters to crack all of the passwords. Of course, deploying bcrypt
insecurely is easy. Programming errors made by the Ashley Madison
cheaters' website, for instance, made it trivial to crack more than 11
million of the 36 million bcrypt hashes leaked in the 2015 hack of the
site.

The leaking of other types of personal information for what could be
as many as 2.2 million accounts is less admirable, especially since
there's little evidence all affected users were notified in a timely
fashion. EpicBot users should change their passwords as soon as
possible. For GateHub users, a password reset isn't required given the
mandatory change done in July. But mnemonic phrases should be
replaced, assuming they weren't already.

To ward off the growing threat of credential stuffing attacks, users
of both sites should also change passwords for any other sites that
used the compromised credentials. Users should also be on the alert
for spear phishing and other forms of attack that make use of their
personal information.