Numerous public figures in the security and tech industries have been beating the password reuse drum loudly for over a decade now. From corporate logins to social media services, password policies nudge users to pick something unique to each account. The recent breach of popular dating app Mobifriends is yet another high-profile reminder of why this is necessary.
3.68 million Mobifriends users have had just about all of the information associated with their accounts, including their passwords, leaked to the internet. Initially offered for sale on a hacker forum, the data has been leaked a second time and is now widely available on the internet for free. Some of these users apparently opted to use work email addresses to create their profiles, with a number of apparent employees of Fortune 1000 companies among the breached parties.
Given that the encryption on the account passwords is weak and can be cracked relatively easily, the nearly 3.7 million exposed in this breach must now be treated as if they are listed in plaintext on the internet. Every Mobifriends user needs to ensure that they are free and clear of potential password reuse vulnerabilities, but history indicates that many will not.
The massive dating app breach
The breach of the Mobifriends dating app appears to have happened back in January 2019. The information appears to have been available for sale through dark web hacking forums for at least several months, but in April it was leaked to underground forums for free and has spread rapidly.
The breach does not contain things like private messages or pictures, but it does contain just about all of the details associated with the dating app’s account profiles: the leaked data includes email addresses, mobile numbers, dates of birth, gender information, usernames, and app/website activity.
This includes passwords. Though these are encrypted, it is with a weak hashing function (MD5) that is fairly easy to crack and display in plaintext.
This gives anyone interested in downloading the list of dating app accounts a set of nearly 3.7 million username / email and password combinations to try at other services. Jumio CEO Robert Prigge points out that this provides hackers with a worrying set of tools: “By exposing 3.6 million user email addresses, mobile numbers, gender information and app/website activity, MobiFriends is giving criminals everything they need to execute identity theft and account takeover. Cybercriminals can easily obtain these details, pretend to be the real user and commit online dating scams and attacks, such as catfishing, extortion, stalking and sexual assault. Because online dating sites often facilitate in-person meetings between two people, organizations need to make sure users are who they claim to be online – both in initial account creation and with each subsequent login.”
The presence of a number of professional email addresses among the dating app’s breached accounts is particularly troubling, as CTO of Balbix Vinay Sridhara observed: “Despite being a consumer application, this hack should be very concerning for the enterprise. Since 99% of employees reuse passwords between work and personal accounts, the leaked passwords, protected only by the very outdated MD5 hash, are now in the hackers’ hands. Even worse, it appears that at least some MobiFriends employees used their work email addresses as well, so it’s entirely likely that full login credentials for employee accounts are amongst the nearly 4 million sets of compromised credentials. In this case, the compromised user credentials could unlock nearly 10 million accounts due to rampant password reuse.”
The never-ending issue of password reuse
Sridhara’s Balbix just published a new research study that demonstrates the potential extent of the damage that this improperly-secured dating app could cause.
The study, entitled “State of Password Use Report 2020,” found that 80% of all breaches are caused either by a commonly-tried weak password or credentials that were exposed in some sort of prior breach. It also found that 99% of people can be expected to reuse a work account password, and on average the typical password is shared between 2.7 accounts. The average user has eight passwords that are used for more than one account, with 7.5 of those shared with some sort of a work account.
The password reuse study also reveals that, despite years of warnings, the #1 cause of breaches of this nature is a weak or default system password on some sort of a work device. Organizations also still tend to struggle with the use of cached credentials to log into critical systems, privileged user machines that have direct access to core servers, and breaches of a personal account enabling password reuse to gain access to a work account.
And when users do change their password, they don’t tend to get very creative or ambitious. Instead, they make small tweaks to a sort of “master password” that could easily be guessed or tried by an automated script. For example, users commonly just replace certain letters in the password with similar numbers or symbols. As the study points out, password spraying and replay attacks are highly likely to take advantage of these sorts of password reuse patterns. They can also use crude brute force attacks on targets that are not protected against repeated login attempts, a category that many “smart devices” fall into.
Is it time to put an end to passwords?
The Balbix study makes reference to Google research indicating that only 26% of users change their credentials after being notified of a breach, and that only 11% of enterprise accounts currently have multi-factor authentication (MFA) logins implemented.
Despite many years of loud and frequent media warnings, user attitudes toward password reuse are still alarmingly poor. One might reasonably infer from this that it is never going to get better. That’s the position that ForgeRock Senior Vice President Ben Goodman takes: “In today’s advanced digital age, we are moving toward a passwordless future. With biometrics or push notifications, organizations can bring the same effortless authentication users experience on their smartphones (with technologies like Apple’s FaceID or Samsung’s Ultrasonic Fingerprint scanner) to every digital touchpoint. Not only does this ensure security, but it also provides users with frictionless, secure digital experiences. The technology to eliminate the password for good exists, organizations just need to take the first step.”
The Balbix report dissents in concluding that there is presently no one perfect solution to entirely replace passwords. However, there are many layers of added security that can be applied: password managers, secondary MFA verifications, and more rigorous encryption schemes to name a few of the more affordable and viable possibilities. As Anurag Kahol, CTO of Bitglass, points out, organizations also simply have to expect to spend more on active measures in anticipation of predictable human weaknesses in the security chain: “Real-time protections are now more critical than ever due to privacy regulations such as GDPR and CCPA. To prevent similar incidents and safeguard customer data, organizations must leverage multi-faceted solutions that enforce real-time access control, detect misconfigurations, encrypt sensitive data at rest, manage the sharing of data with external parties, and prevent data leakage. They must also verify their users with tools like multi-factor authentication to validate their identities before granting them access to their systems.”
The damage done by the breach of this dating app could have been greatly mitigated with just one simple added layer of security: a better password hashing system than MD5. Though it would have still been a massive breach of personal information, it would not have left the door wide open for threat actors to exploit known password reuse vulnerabilities.