Rob's Ramblings

Sunday, 3 July 2011

Data Breach

A recent article on The Register, about somebody finding a database dump containing usernames and passwords simply by using google, sparked my interest.

The obvious google search for "filetype:sql" threw up rather a lot of results. So how to refine it? Adding "password" cut it down somewhat, but still many thousands of irrelevant results. Some of those results had the header "MySQL Dump", so let's add that too. Whee; now that looks interesting.

Many of the results are, of course, installation scripts for webapps, setting up default parameters, including default admin accounts, etc. However there are some interesting other files. Lots of plain text passwords but several have encrypted passwords too.

One of those caught my eye - the first few records all had a password of e10adc3949ba59abbe56e057f20f883e. Putting that into an online MD5 Decryptor brought up the plain-text equivalent: 123456. Duh! Every other example I tried was also decrypted successfully.

Now apparently 123456 is the worlds most common password. Let's see just how many database dumps exist that have plain old md5 hashes of passwords, have at least one user account with the password "123456", are available on public facing web servers, and are indxed by Google. Lots, as it turns out.

Now many of these are still install files, or very old, or from fairly inconsequential websites. I checked a few, and had a look at the front page of the websites that hosted them. One file stood out, though. The file Google had thrown up was fairly boring - default data for some application I didn't recognise with the obligatory 123456 admin password, but the front page of the host it was on turned out not to have an index file, and gave me a directory listing. One of the files listed was a ~7Mb compressed sql file with a filename that included the name of a rather large telecomms company..

Now that was interesting! I think it was a dump of some market research data..

Email address, first name, surname, telephone number... And later on, what looked like address records.

In excess of 28,000 users ... All UK individuals.

On a public facing web server...

I notified the company concerned, and they have removed the file, indeed they removed the entire subdomain from the internet. Google search results no longer include the file that led me there. Bar two screenshots which the above images are taken from, I have ensured all data has been removed from my system, including cache files. Oh, and the ICO have been notified. As the company were so quick to get back to me and to take action, I am not identifying them here.

Need I spell out the lessons to be learned however?

Labels: , ,


Post a Comment

Subscribe to Post Comments [Atom]

<< Home