WEBVTT

00:00:00.320 --> 00:00:03.040
JACK: Let’s start out with tell us your name and what do you do.

00:00:03.040 --> 00:00:10.080
TROY: My name is Troy Hunt. I am an Australian security researcher, I guess. That term seems to

00:00:10.080 --> 00:00:14.960
be used a lot. I run the data breach notification service Have I Been Pwned? I write some online

00:00:14.960 --> 00:00:18.960
training for people, and speak at events. JACK: Troy’s website haveibeenpwned.com

00:00:18.960 --> 00:00:23.120
is amazing. Basically if there’s a data breach out there where the data is public,

00:00:23.120 --> 00:00:27.920
Troy knows about it. He collects all the breach data and puts it into his database and lets

00:00:27.920 --> 00:00:31.440
people search for their e-mail address to see if their account has been in a breach.

00:00:31.440 --> 00:00:36.080
TROY: Yeah, so a typical example [inaudible] pops up and says look, I’ve got the data. It’s

00:00:36.080 --> 00:00:41.600
often via an e-mail or a Twitter DM. I said look, would you like if I Have I Been Pwned? They often

00:00:41.600 --> 00:00:47.760
send me a link to Mega. They’ll put a Mega.NZ somewhere. Sometimes they ask for attribution as

00:00:47.760 --> 00:00:54.560
well. Some people want either the notoriety or the fame, as it may be. I get through, grab that data,

00:00:54.560 --> 00:00:59.920
validate that it’s actually legitimate, then load it in, write it up, and publish it.

00:00:59.920 --> 00:01:03.680
JACK: He’s been running this site since 2013, adding all the public

00:01:03.680 --> 00:01:08.480
and semi-public user account data breach details that he could find. His site has truly changed

00:01:08.480 --> 00:01:12.720
how we view our account security. TROY: Yeah, where to even begin? I guess

00:01:12.720 --> 00:01:17.440
one of the things that amazes me – I’m looking at the record count now having just loaded the

00:01:17.440 --> 00:01:24.800
Dubsmash data last night. It said it’s almost 6.9 billion records. I remember when I started it. It

00:01:24.800 --> 00:01:31.200
was like 155 million records in there. I was like wow; this is a lot of data. I wonder if it’s gonna

00:01:31.200 --> 00:01:34.640
be able to get much bigger. JACK: That is, there have been 6.9

00:01:34.640 --> 00:01:39.040
billion e-mail addresses seen in data breaches in the last ten years or so.

00:01:39.040 --> 00:01:44.560
That’s a lot of e-mail addresses. TROY: This is 6.9 billion breached accounts.

00:01:44.560 --> 00:01:51.840
As an example, my own e-mail address has been seen fifteen times. Of that 6.9 billion, fifteen of

00:01:51.840 --> 00:01:58.640
them are me. This is not unique e-mail addresses. Unique e-mail addresses is more around the four

00:01:58.640 --> 00:02:04.000
billion something. I sort of wonder if you’re doing the mental arithmetic here and going well,

00:02:04.000 --> 00:02:08.880
hang on a moment. How many people are there out there that are actually connected to the internet?

00:02:08.880 --> 00:02:14.240
You sort of realize that this is a really significant portion of online accounts.

00:02:14.240 --> 00:02:18.000
JACK: You can imagine if you post the data breach details for people to search on,

00:02:18.000 --> 00:02:22.720
Troy’s gonna get some interesting feedback. TROY: I remember one company said look,

00:02:22.720 --> 00:02:26.640
we’ve gone and done a domain search. The same three guys in the warehouse are on

00:02:26.640 --> 00:02:30.400
basically every porn site. We need to be really, really confident that

00:02:30.400 --> 00:02:34.000
this information is accurate because we’ve gotta go and have some very uncomfortable chats with

00:02:34.000 --> 00:02:37.280
some of the guys in the warehouse. JACK: Can you imagine signing up for a porn

00:02:37.280 --> 00:02:41.520
site with your work e-mail address and then having it show up in a breach notification

00:02:41.520 --> 00:02:46.240
to your boss? Ugh. But there are so many breaches happening these days that it’s

00:02:46.240 --> 00:02:50.880
hard for Troy to keep up on all of it. TROY: Yeah, honestly at the moment it is wearing

00:02:50.880 --> 00:02:59.760
me out because it’s so much work. It really dawned on me in January where I loaded one of these

00:02:59.760 --> 00:03:05.200
credentials [inaudible] 773 million records. I loaded it just as I got on a plane to go

00:03:05.200 --> 00:03:11.680
overseas and have a few days out in the snow with some friends. I just got thousands of e-mails and

00:03:11.680 --> 00:03:18.240
tweets and media. I just got absolutely bombarded right at a time I was trying to switch off.

00:03:18.240 --> 00:03:25.920
I actually started to become really conscious of the mental toll it’s taking, if I’m honest.

00:03:25.920 --> 00:03:33.120
That bit is hard. Then underlying that there’s just this massively increasing stream of data,

00:03:33.120 --> 00:03:39.360
I would have multiple breaches a day sent to me of all different scale, of course.

00:03:39.360 --> 00:03:44.480
At the moment I’m sort of working through this whole lot which was published in just the last

00:03:44.480 --> 00:03:49.360
couple of weeks which had things like my heritage and Dubsmash, my fitness pill, and all these.

00:03:49.360 --> 00:03:54.320
There was about a quarter of a billion records there across different unique incidents. I need

00:03:54.320 --> 00:03:57.760
to verify each one of those and then load the data and send the e-mails and then deal

00:03:57.760 --> 00:04:01.760
with the onslaught of feedback from it. JACK: At this point Troy has added hundreds of

00:04:01.760 --> 00:04:06.880
website dumps into his database. Breaches today are really quite common. But let’s roll back the

00:04:06.880 --> 00:04:11.280
clock and dive into a breach that happened a long time ago but had a big impact on how

00:04:11.280 --> 00:04:17.280
we view security today. JACK (INTRO): [INTRO MUSIC]

00:04:17.280 --> 00:04:24.080
These are true stories from the dark side of the internet.

00:04:24.080 --> 00:04:42.485
I’m Jack Rhysider. This is Darknet Diaries. [INTRO MUSIC ENDS]

00:04:42.485 --> 00:04:47.120
JACK: The common thread on where a hacker comes from is that many of them had a computer in their

00:04:47.120 --> 00:04:52.640
home as a teenager. [MUSIC] When a teenager has a computer they’ll probably want to play video

00:04:52.640 --> 00:04:56.720
games on it. Some will be curious about those games and start playing with the mechanics of

00:04:56.720 --> 00:05:00.880
the game itself by exploring the files of the game, maybe changing [00:05:00] one of them to

00:05:00.880 --> 00:05:05.440
see what it does. They might then look online for cheats or even hacks to make the game do

00:05:05.440 --> 00:05:10.880
things it’s not supposed to. This might fascinate a teenager even more. They begin to think about

00:05:10.880 --> 00:05:15.200
more things they can do with this; maybe write a program to automate the video game or find a way

00:05:15.200 --> 00:05:19.440
to make copies of it for friends. The curious mind and the endless tunnel of the internet

00:05:19.440 --> 00:05:25.200
is a beautiful combination but having that while being a teenager can be even more powerful.

00:05:25.200 --> 00:05:30.320
If you’re in high school or college living at home with no job and have an obsessive fascination with

00:05:30.320 --> 00:05:35.440
that hunk of metal in the corner of your room, you can spend an insane amount of time on that thing,

00:05:35.440 --> 00:05:39.520
literally staying up all night on the computer, sleeping only a couple hours, and then going to

00:05:39.520 --> 00:05:45.040
class is not that uncommon. As soon as school’s out, they’ll go right back to the computer again.

00:05:45.040 --> 00:05:49.520
It’s not just playing video games but also learning HTML or how to code and finding different

00:05:49.520 --> 00:05:54.400
things to learn on the internet. A teenager can easily spend ten hours a day on a computer. They

00:05:54.400 --> 00:05:59.040
can learn how to build things and how to break things. Making stuff and breaking stuff becomes

00:05:59.040 --> 00:06:04.480
the new obsession. Malcolm Gladwell once famously wrote that you can master something if you spend

00:06:04.480 --> 00:06:09.520
10,000 hours doing it. If you spend ten hours a day for three years, that’s 10,000 hours.

00:06:09.520 --> 00:06:13.680
Not everyone has this opportunity of owning a computer, having an endless curiosity

00:06:13.680 --> 00:06:18.480
towards technology, and not having that much responsibility as a teenager. If you had this,

00:06:18.480 --> 00:06:22.960
consider yourself privileged because having access to a world of information right there

00:06:22.960 --> 00:06:27.600
in your bedroom, having the luxury of time to be able to spend countless hours on it

00:06:27.600 --> 00:06:32.080
is not something everyone has. But like I was saying, this is the common story of how many

00:06:32.080 --> 00:06:38.400
hackers got started, or security professionals. They’re really two sides of the same coin. This

00:06:38.400 --> 00:06:44.000
is how I imagine Tom got started with computers. Tom was your average security professional. He

00:06:44.000 --> 00:06:48.080
likely did the time of spending the 10,000 hours in front of a computer and worked his way up,

00:06:48.080 --> 00:06:53.120
getting a solid gig securing the network for a company. He knew computers well. Oh, and Tom’s

00:06:53.120 --> 00:06:56.560
not his real name, by the way. That’s just the name given to him by the New York Times.

00:06:56.560 --> 00:07:01.680
Tom could code, troubleshoot PC problems, and he knew his way around databases really well.

00:07:01.680 --> 00:07:06.160
Somewhere along the way of learning all this, he got curious about hacking. He started looking

00:07:06.160 --> 00:07:10.320
at websites to learn how you can do things to computers you really shouldn’t be allowed to do.

00:07:10.320 --> 00:07:15.440
He thought this was cool and wanted to learn more; found a website that had all kinds of tutorials on

00:07:15.440 --> 00:07:21.360
how to hack, [MUSIC] how to write a bot, how to write exploits in Python, stuff like that.

00:07:21.360 --> 00:07:25.440
The site had a forum too, and he joined it and used it to ask questions and learn more about

00:07:25.440 --> 00:07:30.080
hacking. The weird thing about the internet; it’s so big, right? There’s so many corners and pockets

00:07:30.080 --> 00:07:36.560
of people in each crevice of it that wherever you go it feels like everyone is doing this thing. If

00:07:36.560 --> 00:07:40.400
you go on Instagram it feels like everyone’s traveling. If you go on Facebook it feels like

00:07:40.400 --> 00:07:45.920
everyone’s having babies. If you go on a hacker forum it feels like everyone is hacking.

00:07:45.920 --> 00:07:50.400
I don’t know if Tom was just bored at work or felt mischievous or just thought that because he hangs

00:07:50.400 --> 00:07:54.880
out in the hacking forums that it appeared that everyone was doing this, but it seemed cool to

00:07:54.880 --> 00:08:00.160
hack. These forums would sometimes have a post of someone showing you step-by-step how a specific

00:08:00.160 --> 00:08:04.720
website is vulnerable to an attack. If you were quick enough you could follow the steps and get

00:08:04.720 --> 00:08:10.800
in and look around. Tom was seeing this, a lot of this, and started to poke around at websites

00:08:10.800 --> 00:08:17.440
himself to see if he could find a hackable website. The thing is, the internet is huge

00:08:17.440 --> 00:08:21.600
though, and it’s hard to know where to look to try to find a website that’s vulnerable. At least,

00:08:21.600 --> 00:08:26.640
there wasn’t a good spot back in 2009 when this story took place, so Tom would visit websites

00:08:26.640 --> 00:08:30.800
he knew about and start checking to see if they were exploitable. He was going through a bunch of

00:08:30.800 --> 00:08:35.600
websites that he could think of and testing if any of them were vulnerable to certain attacks.

00:08:35.600 --> 00:08:40.160
He would go to these websites and click the login button and then put a single quote in for the

00:08:40.160 --> 00:08:45.920
username and password and hit Log In. The website should come back with a message saying Invalid

00:08:45.920 --> 00:08:51.840
Login, User Not Found, or something like this. But one website he did this on said something else.

00:08:51.840 --> 00:08:55.760
Instead it looked like the website had crashed. The whole page went blank

00:08:55.760 --> 00:09:00.960
and it just displayed a little error saying You Have an Error in Your SQL Syntax.

00:09:00.960 --> 00:09:05.680
You might be thinking wait, how is it that if you put a single quote in for the username and try to

00:09:05.680 --> 00:09:13.760
log in with just that it gives you an error saying your SQL syntax isn’t right? Well, I’ll tell you.

00:09:13.760 --> 00:09:19.600
SQL, or often called sequel, is the language used to talk to databases. Websites that have

00:09:19.600 --> 00:09:24.480
users that can log in have a database where the user information is kept. When a user tries to

00:09:24.480 --> 00:09:29.760
log into the site, the website has to ask the database if that user is in the database.

00:09:29.760 --> 00:09:35.680
In this case Tom asked if there’s a user that’s just a single quote exists. This single quote was

00:09:35.680 --> 00:09:42.080
passed right into the database query, but SQL treats single quotes special. Web developers

00:09:42.080 --> 00:09:47.600
should not trust inputs from the user and should sanitize them and parse it differently. But when

00:09:47.600 --> 00:09:54.160
Tom saw the website was telling him he had a SQL syntax error he knew immediately what this meant.

00:09:54.160 --> 00:09:58.880
The website was not sanitizing its user inputs properly and he could issue SQL

00:09:58.880 --> 00:10:05.680
commands and query the database [00:10:00] right through the username field of the login page.

00:10:05.680 --> 00:10:10.720
This is known as SQL injection and it’s been a known attack since 1998

00:10:10.720 --> 00:10:15.040
but still even today web developers struggle to properly sanitize user inputs.

00:10:15.040 --> 00:10:19.680
It’s constantly been one of the biggest threats to websites. Tom saw this website

00:10:19.680 --> 00:10:23.680
was vulnerable to SQL injection and started seeing what kind of fun he could have.

00:10:23.680 --> 00:10:29.600
Oh, I should say this website he found the SQL injection on was csfd.cz which is like

00:10:29.600 --> 00:10:35.200
IMDB but in the Czech Republic. It’s an online movie database in Czech. He started passing SQL

00:10:35.200 --> 00:10:39.520
commands to the database through this login page. First he discovered the database name

00:10:39.520 --> 00:10:44.560
which was called Public. Okay. Next he looked at the tables within the database. There were

00:10:44.560 --> 00:10:51.120
forty-two tables here, things like Forum, Posts, Film Names, Film Ratings, and things like that.

00:10:51.120 --> 00:10:54.800
Not a big deal. This is all public information that you could theoretically scrape from the

00:10:54.800 --> 00:11:00.960
website if you wanted to anyways. But then he saw a table that caught his eye; Uživatelé,

00:11:00.960 --> 00:11:07.360
which is a Czech word meaning ‘users.’ [MUSIC ] He quickly issued a command to see the contents of

00:11:07.360 --> 00:11:13.840
this user’s table and sure enough it had all the user data. He saw usernames, hashed passwords, and

00:11:13.840 --> 00:11:18.560
e-mail addresses of every user on the site. Now keep in mind, he’s doing all of these SQL

00:11:18.560 --> 00:11:23.200
queries from the login page of the website. He’s not even a user on this site and still he could

00:11:23.200 --> 00:11:28.400
see all of the database content. This was a big deal for this fairly popular Czech website to have

00:11:28.400 --> 00:11:34.080
been accessed by Tom like this. This put a big smile on Tom’s face. He looked to see how

00:11:34.080 --> 00:11:41.520
many users there were on the site and there were 187,000. This included their login name, e-mail,

00:11:41.520 --> 00:11:45.680
and password hash. A password hash is not a password; it’s what the passwords look like after

00:11:45.680 --> 00:11:50.960
you run it through an algorithm called a hash. This is how you should store passwords, hashed.

00:11:50.960 --> 00:11:55.440
A large list of password hashes like this could be cracked over time so he started downloading

00:11:55.440 --> 00:12:00.240
them all. He spent a few weeks looking around the database and site. He’d go to work, do his day

00:12:00.240 --> 00:12:05.680
job, and then come home and continue poking around this website until one day Tom lost access to the

00:12:05.680 --> 00:12:10.480
website and saw an e-mail from this Czech movie database which was sent to all customers.

00:12:10.480 --> 00:12:15.600
It said they’re migrating to a different database with different password storage.

00:12:15.600 --> 00:12:19.920
Something about this e-mail upset Tom. He thought they were lying to their customers and

00:12:19.920 --> 00:12:24.160
hiding the fact that they’ve been breached. Tom wanted to tell the world that he hacked

00:12:24.160 --> 00:12:28.720
this site and that’s why they’re wanting to change databases. He decided to make a blog

00:12:28.720 --> 00:12:34.720
post but where’s a safe place to post about hacks? WordPress and Blogger sometimes took down illegal

00:12:34.720 --> 00:12:39.920
content so that wasn’t gonna work. Registering his own domain and hosting it himself, I don’t know,

00:12:39.920 --> 00:12:45.440
just wasn’t a good option. So he gave BayWords a try. BayWords was a simple blogging platform

00:12:45.440 --> 00:12:49.520
and it was started by the same people who started The Pirate Bay. It was meant to be a free-speech

00:12:49.520 --> 00:12:54.000
zone for people who wanted to blog about things that might be taken down by other platforms.

00:12:54.000 --> 00:13:00.640
Tom made a BayWords account and makes his first blog post under the name IGIGI.

00:13:00.640 --> 00:13:07.360
His post said the csfd.cz website has been hacked. He said if you get an e-mail from the company

00:13:07.360 --> 00:13:11.680
saying they are migrating servers, don’t believe it, and that they were trying to recover from Tom

00:13:11.680 --> 00:13:16.400
breaking in and downloading all their stuff. Tom also said his access was terminated but he still

00:13:16.400 --> 00:13:21.200
had two other ways into the network. He then goes on to post samples, snippets of what he’s stolen.

00:13:21.200 --> 00:13:26.480
This included all the names of the tables as well as twenty username and password hashes. Then he

00:13:26.480 --> 00:13:30.800
spread his post around a few hacking forums to show what he did. A few people commented on this

00:13:30.800 --> 00:13:34.640
post, some calling him an idiot, others saying he had no ethics. Someone else encouraged him to

00:13:34.640 --> 00:13:38.800
post the entire database. I don’t know what the websites themselves did because I couldn’t find

00:13:38.800 --> 00:13:44.480
any news stories about this breach other than Tom’s post. But this was great fun for Tom. He

00:13:44.480 --> 00:13:48.960
really enjoyed the feeling of hunting for insecure websites and breaking into them and looking at

00:13:48.960 --> 00:13:54.400
their databases. He kept looking for more. Two days after posting that he hacked into the

00:13:54.400 --> 00:14:00.400
Czech movie database website he made another BayWords post, [MUSIC] this time saying he

00:14:00.400 --> 00:14:07.280
hacked into a Slovakian architecture firm. He posted a sample data set from there. The next day

00:14:07.280 --> 00:14:11.600
another post, saying he hacked into a Czech e-commerce store and this one was actually

00:14:11.600 --> 00:14:16.720
storing their passwords in clear text. Then the very next day he hacked into another Czech website

00:14:16.720 --> 00:14:21.760
which posts dark humor content; videos and jokes and stuff like that. In fact, this was a site he

00:14:21.760 --> 00:14:26.640
said he actually liked so he had a lot of fun hacking into it. [MUSIC] Tom was on a terror,

00:14:26.640 --> 00:14:31.440
finding website after website vulnerable to SQL injection and hacking it, downloading the

00:14:31.440 --> 00:14:37.760
user database, and posting it like a trophy to his BayWords blog. But he wanted more. He needed more.

00:14:37.760 --> 00:14:43.200
This hacking stuff was a wild rush of adrenaline and fun, so much different than his plain old

00:14:43.200 --> 00:14:47.680
day job and it was getting him notoriety. I have a feeling Tom was from the Czech Republic

00:14:47.680 --> 00:14:52.640
or Slovakia because all the websites he hacked were all there. It’s just a lot harder to hack

00:14:52.640 --> 00:14:56.240
a website that’s in a foreign language. One of the hacking forums he liked to go to

00:14:56.240 --> 00:15:00.000
had a section where people would post vulnerabilities they found on websites.

00:15:00.000 --> 00:15:07.600
One of these posts [00:15:00] said that rockyou.com was vulnerable to SQL injection.

00:15:07.600 --> 00:15:12.160
Rockyou.com was a popular American website at the time. They built widgets and tools for social

00:15:12.160 --> 00:15:17.040
media. For instance, they built a Facebook app called SuperWall back in 2007. This gave

00:15:17.040 --> 00:15:22.000
you the ability to post more cool stuff to your Facebook wall like videos and images and stuff.

00:15:22.000 --> 00:15:26.160
People loved this app and it grew in popularity. Over 100,000 people installed it and they liked to

00:15:26.160 --> 00:15:31.040
decorate their Facebook pages in unique ways. Now, to use RockYou apps you had to make an account at

00:15:31.040 --> 00:15:36.640
rockyou.com but because it was so integrated into your social media, RockYou also needed access to

00:15:36.640 --> 00:15:41.280
your Facebook or MySpace pages, too. They were also making social media games,

00:15:41.280 --> 00:15:45.280
too. They were killing it on Facebook and MySpace with tons of great apps to enhance

00:15:45.280 --> 00:15:49.680
the social media experience. RockYou was getting invited to exclusive events and getting early

00:15:49.680 --> 00:15:54.080
access to API features and abilities. More and more people started using the RockYou apps. The

00:15:54.080 --> 00:15:57.680
company was looking to be a promising startup. They raised ten million dollars in funding,

00:15:57.680 --> 00:16:02.320
then another three million. They just kept getting more and more funding, hiring more employees,

00:16:02.320 --> 00:16:07.200
too. They were aggressively becoming a successful startup and their popularity was booming.

00:16:07.200 --> 00:16:12.880
RockYou was growing fast but they were making some mistakes along the way. [MUSIC]

00:16:12.880 --> 00:16:17.680
One mistake that RockYou made was an e-mail they sent to all 450 of their ad partners

00:16:17.680 --> 00:16:22.560
talking about an upcoming change. The mistake was that they e-mailed them all in the CC field

00:16:22.560 --> 00:16:28.240
and not the BCC field, so all 450 of their ad partners knew what their competition was. Many

00:16:28.240 --> 00:16:33.040
of them were Facebook ad makers themselves. Zynga was on this list and they took advantage of

00:16:33.040 --> 00:16:37.760
it and started e-mailing many of the people on the list asking if they’d like to come work at Zynga.

00:16:37.760 --> 00:16:42.400
There was a huge Reply All e-mail chain that resulted in this and it was bad and hilarious. The

00:16:42.400 --> 00:16:46.800
vice president of RockYou came out and apologized for the e-mail and promised to take privacy more

00:16:46.800 --> 00:16:51.200
seriously and correct the issue. But guess what? Two months later they did the same thing again,

00:16:51.200 --> 00:16:57.040
accidentally Cc’ing the entire ad partner list. Then they did it again not long after that. This

00:16:57.040 --> 00:17:02.800
began infuriating some ad partners. Mistakes were made, that’s for sure. Another security

00:17:02.800 --> 00:17:06.960
issue that RockYou had was their password policy. Your password had to be a minimum

00:17:06.960 --> 00:17:12.160
length of five characters long and could not include any special characters. This is really

00:17:12.160 --> 00:17:18.320
weak even for 2009 standards. RockYou would be made fun of for that over and over.

00:17:18.320 --> 00:17:23.600
In November 2009 when someone posted on this hacker forum that rockyou.com was vulnerable to

00:17:23.600 --> 00:17:29.840
a SQL injection, this caught Tom’s interest big time. He immediately started checking

00:17:29.840 --> 00:17:36.640
for himself and sure enough he was able to get right in. This was a massive database.

00:17:36.640 --> 00:17:42.800
Forget about the 187,000 users in that Czech movie database website. RockYou had millions

00:17:42.800 --> 00:17:50.080
of users. Tom was blown away by this. [MUSIC] Such a big and fast-growing company with such a

00:17:50.080 --> 00:17:54.960
simple vulnerability. In fact, the SQL injection Tom used to get in was very close to the same

00:17:54.960 --> 00:18:02.400
one posted in a Phrack magazine in 1998. So eleven years later rockyou.com was open to the same exact

00:18:02.400 --> 00:18:07.760
vulnerability. They didn’t have their user’s best interests in mind so Tom started going through

00:18:07.760 --> 00:18:13.440
the rockyou.com database and taking all of the user data he could find, downloading hundreds of

00:18:13.440 --> 00:18:18.640
thousands of logins which quickly became millions, and then tens of millions. This took a while for

00:18:18.640 --> 00:18:23.520
him to get all this and he would spend days downloading all this data out of the database.

00:18:23.520 --> 00:18:30.400
What he does with that data will change the way we view password security even today. Tom

00:18:30.400 --> 00:18:35.440
wasn’t the only one that noticed the forum post that RockYou was vulnerable to SQL injection.

00:18:35.440 --> 00:18:39.680
Someone else had noticed this, too. AMICHAI: My name is Amichai Shulman

00:18:39.680 --> 00:18:48.560
and by 2009 I was working with Imperva, a company that I founded in 2002.

00:18:48.560 --> 00:18:53.680
JACK: Amichai has a strong background in security. In fact he started out in Unit 8200,

00:18:53.680 --> 00:18:58.640
the secret Israeli military division. AMICHAI: Yes, I spent eight years in the military.

00:18:58.640 --> 00:19:05.920
One of the lessons, the bigger lessons, being on the defensive side in the military, was

00:19:05.920 --> 00:19:14.320
that when you’re in the military you think you can command people to do things.

00:19:14.320 --> 00:19:22.720
You go to application programmers and you tell them you have to write secure code.

00:19:22.720 --> 00:19:29.520
That’s an order. You have to use prepared statements so you don’t get SQL injection.

00:19:29.520 --> 00:19:41.600
That’s an order. When you see that this kind of practice cannot be enforced in the military,

00:19:41.600 --> 00:19:52.000
you’ll get to understand that it is even less effective in commercial environments.

00:19:52.000 --> 00:19:56.960
JACK: Sometime after Amichai finished his time in 8200 he went off and co-founded a company called

00:19:56.960 --> 00:20:01.280
Imperva which helps companies secure their applications. He was [00:20:00] good at defending

00:20:01.280 --> 00:20:06.880
the network and put his expertise to use. In December of 2009 a security researcher at Imperva

00:20:06.880 --> 00:20:12.400
saw the forum post that rockyou.com was vulnerable to a SQL injection. He notified RockYou of this

00:20:12.400 --> 00:20:16.960
vulnerability and RockYou quickly got to work fixing the problem. They worked all weekend to

00:20:16.960 --> 00:20:23.040
resolve this SQL injection on their site but while doing so they realized it was too late. RockYou

00:20:23.040 --> 00:20:31.120
had seen that someone else had been in the site and downloaded a copy of their entire database.

00:20:31.120 --> 00:20:35.840
A small news article came out about Imperva warning RockYou of this vulnerability.

00:20:35.840 --> 00:20:41.200
Tom, the hacker, saw this article and went crazy. By this point not only did he hack

00:20:41.200 --> 00:20:44.960
into the site but he had downloaded their entire user database.

00:20:44.960 --> 00:20:52.720
Tom downloaded 32 million user accounts from rockyou.com. He looked at the 32 million accounts

00:20:52.720 --> 00:20:57.760
he stole and then looked at the article which said the vulnerability was fixed. He thought well, it’s

00:20:57.760 --> 00:21:02.800
too late. You’ve already been hacked. The privacy policy on RockYou’s website was not the best;

00:21:02.800 --> 00:21:08.240
first it says the company makes reasonable efforts to keep its user’s data safe but the security is

00:21:08.240 --> 00:21:13.040
not insured and you should use the site at your own risk. It actually says when you give any data

00:21:13.040 --> 00:21:17.920
to RockYou you are doing so at your own risk. Then the policy goes on to say that if RockYou learns

00:21:17.920 --> 00:21:22.800
of a breach they may contact their customers to tell them. Well, Tom had breached them and they

00:21:22.800 --> 00:21:27.520
weren’t notifying their customers. He wanted to expose their weak security and get them to admit

00:21:27.520 --> 00:21:32.960
that they’ve been breached. So what does Tom do? He writes another post on his BayWords account,

00:21:32.960 --> 00:21:37.360
this being the fifth post of the month of him hacking into various websites.

00:21:37.360 --> 00:21:43.120
On December 15, 2009 Tom posts to his blog saying that he’s taken 32 million accounts

00:21:43.120 --> 00:21:48.240
from the rockyou.com website. He shows us a little snippet of what he took then

00:21:48.240 --> 00:21:54.080
he even taunts RockYou by saying don’t lie to your customers or I’ll post everything.

00:21:54.080 --> 00:21:58.560
Someone saw this BayWords post and tweeted, tipping off a few news outlets of the breach.

00:21:58.560 --> 00:22:02.640
TechCrunch was the first report on it saying that 32 million user records were stolen from

00:22:02.640 --> 00:22:07.760
rockyou.com and urges the readers to change their password immediately. The journalist posted this

00:22:07.760 --> 00:22:13.680
right away and then examined the snippets from Tom’s dump closer and saw something else. RockYou

00:22:13.680 --> 00:22:19.600
had been storing the user passwords in clear text. What Tom posted a snippet of wasn’t a hash of the

00:22:19.600 --> 00:22:25.200
user’s password; it was the actual passwords. He only posted about 24 user details and he slightly

00:22:25.200 --> 00:22:32.640
obscured the password but still, what Tom had was 32 million usernames with their password. This was

00:22:32.640 --> 00:22:38.480
a huge lack of security on RockYou. Storing user passwords in clear text is a terrible idea.

00:22:38.480 --> 00:22:42.720
You might think oh, well, it’s 2009. Times were different then. But the Linux operating

00:22:42.720 --> 00:22:47.280
system had been already hashing their passwords for ten years by then, so it was not a fringe

00:22:47.280 --> 00:22:52.880
idea to hash passwords. The thing is we all reuse passwords, especially back in 2009,

00:22:52.880 --> 00:22:58.400
so these passwords might also work on the user’s e-mail, social media, and banking logins. Tom even

00:22:58.400 --> 00:23:02.240
wondered what percent of these people have PayPal accounts and if the password would work there,

00:23:02.240 --> 00:23:06.960
too. If he just took ten dollars from each of those accounts he’d probably have a lot of money.

00:23:06.960 --> 00:23:11.200
But something even more shocking was shown in the small snippet Tom posted. Not only

00:23:11.200 --> 00:23:15.840
was RockYou storing logins to their own site but they were also storing the login and usernames for

00:23:15.840 --> 00:23:21.120
social media sites, too. Because if you wanted to use a RockYou MySpace app, you’d have to log

00:23:21.120 --> 00:23:26.240
into both MySpace and RockYou to use it. RockYou would capture these MySpace logins and

00:23:26.240 --> 00:23:33.920
store them on their own site again in clear text, not encrypted, not hashed, not secure at all. Tech

00:23:33.920 --> 00:23:38.080
Crunch saw this, posted a second article, and they reached out to RockYou asking when they’re going

00:23:38.080 --> 00:23:42.640
to tell their customers of this breach. Within 24 hours of Tech Crunch writing the article,

00:23:42.640 --> 00:23:47.200
RockYou did send a notification to its customers saying there had been a breach and that a person

00:23:47.200 --> 00:23:51.280
took usernames and passwords. They didn’t say anything about the social media usernames and

00:23:51.280 --> 00:23:55.280
passwords and they didn’t mention the passwords were stored in clear text but they did make sure

00:23:55.280 --> 00:24:01.280
to say several times that they take security and privacy very seriously. News of this breach spread

00:24:01.280 --> 00:24:06.160
fast. RockYou was a popular site and in fact by that time in 2009, this was around the fifth

00:24:06.160 --> 00:24:12.960
biggest breach of all time. 32 million records was a lot so this was big news. Tom looked through the

00:24:12.960 --> 00:24:17.520
32 million username and password records and he had wondered what he should do with it.

00:24:17.520 --> 00:24:22.240
He liked looking at what passwords people were using. A lot were just their first name or band

00:24:22.240 --> 00:24:27.360
name they like. This fascinated Tom and he kept looking at people’s password choices. Of course,

00:24:27.360 --> 00:24:32.000
a lot of them were really bad since the minimum length had to be five characters and no special

00:24:32.000 --> 00:24:37.120
characters were even allowed. Tom thought if he’s finding this interesting, maybe other people would

00:24:37.120 --> 00:24:42.800
find this interesting, too. He extracted only the passwords out of the dump, all 32 million of them,

00:24:42.800 --> 00:24:47.920
and put them in a text file. There were no usernames, no e-mail addresses, just 32 million

00:24:47.920 --> 00:24:53.920
passwords. He posted this to RapidShare, a popular file sharing site, and he told a few people in

00:24:53.920 --> 00:24:58.240
a hacker forum about it. Amichai noticed this and grabbed a copy of the password list because

00:24:58.240 --> 00:25:01.520
this could be really interesting. AMICHAI: I think [00:25:00] at least for me,

00:25:01.520 --> 00:25:08.080
the first time that we saw that many passwords in single file and said okay,

00:25:08.080 --> 00:25:11.120
what can we do with it? JACK: [MUSIC]

00:25:11.120 --> 00:25:15.760
When the password list got in the wild, some news sites reached out to Imperva for another

00:25:15.760 --> 00:25:20.800
comment but for Amichai to go through 32 million passwords was going to take a long time.

00:25:20.800 --> 00:25:27.360
AMICHAI: I have to say our PR agency was not happy about it because I told them it’s going to

00:25:27.360 --> 00:25:34.960
take time and we’re not going to have a comment on this in two hours. It will take us at least a week

00:25:34.960 --> 00:25:40.000
to process the file and understand what we can find and learn from it.

00:25:40.000 --> 00:25:44.560
They were not happy to begin with. JACK: This got downloaded by many other

00:25:44.560 --> 00:25:49.280
hackers really quick. This was hot stuff. Like I said, this was around the fifth largest breach

00:25:49.280 --> 00:25:53.760
at the time and since these passwords were in clear text, this was an amazing data set of

00:25:53.760 --> 00:25:58.880
words to try when cracking passwords. Previously there were simple dictionary words lists but now

00:25:58.880 --> 00:26:04.000
this is a massive list of actual passwords people are using. The RapidShare link didn’t stay up

00:26:04.000 --> 00:26:08.240
long. It was taken down pretty quick and it didn’t matter; the password list got out in the wild and

00:26:08.240 --> 00:26:12.320
at that point started getting shared and spread among many hackers and security professionals

00:26:12.320 --> 00:26:17.920
online. Amichai and Imperva started making sense of the password list. They looked at what were the

00:26:17.920 --> 00:26:22.240
most commonly-used passwords on the list. Here, I’ll read them to you. Each one of these passwords

00:26:22.240 --> 00:26:26.320
I’m about to read has at least ten thousand people each who use this password.

00:26:26.320 --> 00:26:38.880
290,000 people used that password. 12345. 123456789. Password. I love you. Princess.

00:26:38.880 --> 00:26:50.560
1234567. RockYou. Yeah, 20,000 people used RockYou as their password. 12345678abc123. Nicole.

00:26:50.560 --> 00:27:04.080
Daniel. Babygirl. Monkey. Lovely. Jessica. 654321. Michael. Ashley. Cordy. 111111000000. Michelle.

00:27:04.080 --> 00:27:09.360
Tigger. Sunshine. Chocolate. Password with a number 1 at the end. Ah, very clever. Only 11,000

00:27:09.360 --> 00:27:16.160
people thought of that one. Soccer. Anthony. Friends. Butterfly. Purple. Angel. Jordan.

00:27:16.160 --> 00:27:24.640
AMICHAI: This was an eye-opener for us. When you got that

00:27:24.640 --> 00:27:32.560
large proportion of entries that corresponded to a relatively small number of unique passwords,

00:27:32.560 --> 00:27:38.000
that was like an ah-ha moment for us. JACK: [MUSIC] This was incredible data.

00:27:38.000 --> 00:27:43.120
It was such a rare glimpse into what passwords people are actually using in the real word on a

00:27:43.120 --> 00:27:48.640
massive scale. Nothing like this had ever been seen before. Amichai found that if you take the

00:27:48.640 --> 00:27:54.480
top five thousand most frequently used passwords you could crack 20% of all passwords.

00:27:54.480 --> 00:28:04.160
AMICHAI: That’s a huge thing because it changed the way that we were thinking about

00:28:04.160 --> 00:28:10.960
credential theft attacks or what would attackers do with this kind of file.

00:28:10.960 --> 00:28:15.520
JACK: Or put it another way; if I wanted to get into a single user’s account not on RockYou but on

00:28:15.520 --> 00:28:21.360
any site, Facebook, Gmail, a bank, if I try each of those top five thousand passwords, I have a 20%

00:28:21.360 --> 00:28:28.240
chance of getting into that single account. AMICHAI: Exactly. Either way you look at it,

00:28:28.240 --> 00:28:40.880
you understand that relying on the fact that attackers will use high-volume, noisy,

00:28:40.880 --> 00:28:55.280
brute force attack against every possible password is not the way to protect attacks. I do think

00:28:55.280 --> 00:29:04.880
that once we understood that it was actually easier for us to really detect more attacks than

00:29:04.880 --> 00:29:17.120
we thought were in the wild. Again, I think that this publication with the large number ignited the

00:29:17.120 --> 00:29:23.120
whole discussion about password strength. JACK: As you can see, this was a goldmine for

00:29:23.120 --> 00:29:27.360
hackers to have. With a password set like this, the likelihood of them hacking other accounts

00:29:27.360 --> 00:29:32.160
significantly went up. Hackers were able to use this password list to get into many accounts

00:29:32.160 --> 00:29:38.160
after this but at the same time it gave defenders the ability to know how to detect such an attack.

00:29:38.160 --> 00:29:42.240
Because now we know attackers really don’t need to try millions of potential passwords.

00:29:42.240 --> 00:29:45.760
They could just try the top five thousand, or maybe the top thousand,

00:29:45.760 --> 00:29:50.560
or the top five hundred, or even the top five and still have a percent chance of getting in.

00:29:50.560 --> 00:29:57.200
AMICHAI: When we came up with the report almost two weeks after the incident, it turned out

00:29:57.200 --> 00:30:04.160
that New York Times showed a lot of interest. [00:30:00] It got us much, much more publicity.

00:30:04.160 --> 00:30:11.120
PR people were not that mad at the time. JACK: [MUSIC] This article actually hit the front

00:30:11.120 --> 00:30:17.360
page of New York Times and it said, “If your password is still 123456 it might as well be

00:30:17.360 --> 00:30:22.240
Hack Me.” RockYou sent more notifications to its customers outlining certain steps they’re taking

00:30:22.240 --> 00:30:27.280
to ensure security going forward. They started hashing their passwords after that, too. But this

00:30:27.280 --> 00:30:31.840
breached caused them major loss of customers. Many people were deleting their accounts and avoided

00:30:31.840 --> 00:30:37.760
using their apps. Their growth and climb to success had stalled and was actually detracting.

00:30:37.760 --> 00:30:43.200
About a year after the breach RockYou announced a massive amount of layoffs. Many people were let

00:30:43.200 --> 00:30:48.640
go as the company restructured its resources. The co-founder himself stepped down from his position

00:30:48.640 --> 00:30:54.400
as CEO. RockYou was determined to recover though, and rise up again. One of their arch rivals was

00:30:54.400 --> 00:30:59.280
bought out by Google and RockYou had gotten even more funding from venture capitalists. They used

00:30:59.280 --> 00:31:04.880
it to buy up a few small-time video game studios and continued to create apps for social media.

00:31:04.880 --> 00:31:08.880
By another strange turn of events, this hack was mainstream enough that it was

00:31:08.880 --> 00:31:13.680
actually a question in a game show. HOST: All right, you’ve got one million dollars.

00:31:13.680 --> 00:31:18.076
I’ve got seven questions. Let’s play the Million Dollar Money Drop. [APPLAUSE]

00:31:18.076 --> 00:31:22.720
JACK: Fox created a game show called Million Dollar Money Drop. A husband and wife couple

00:31:22.720 --> 00:31:27.040
is asked some trivia questions and they have a chance to make a million dollars. One couple was

00:31:27.040 --> 00:31:30.400
doing really well and had worked their way up. If they could answer this next question

00:31:30.400 --> 00:31:36.800
correctly, they would win $580,000. HOST: Let’s take a look at the questions.

00:31:36.800 --> 00:31:43.680
AMICHAI: [BACKGROUND TALKING] It was something like ‘In the Imperva report what was the most

00:31:43.680 --> 00:31:47.780
common password?’ Something like that. HOST: Sixty seconds. The clock has started.

00:31:47.780 --> 00:31:51.280
JACK: Okay, pop quiz. Let’s see if you’re listening. Do you remember the most common

00:31:51.280 --> 00:31:57.200
password I mentioned a few minutes ago? Here are the answers to pick from: I love you, password,

00:31:57.200 --> 00:32:04.800
and 1233456. WIFE:

00:32:04.800 --> 00:32:05.760
No! Oh no! AMICHAI: The contestants,

00:32:05.760 --> 00:32:10.400
they got the answer wrong. JACK: They put all their money on

00:32:10.400 --> 00:32:15.840
password but the right answer was 123456. They ended up losing $580,000.

00:32:15.840 --> 00:32:25.520
AMICHAI: Then six months later the contestants sued the broadcasting company because

00:32:25.520 --> 00:32:28.960
they claimed it was a tricky question. JACK: They were claiming that the way the

00:32:28.960 --> 00:32:32.880
question was worded seemed like they were asking what’s the most common password, and they didn’t

00:32:32.880 --> 00:32:37.680
know the report only covered the RockYou database. Which I have to admit is a really weird question

00:32:37.680 --> 00:32:42.400
even for me, who follows security. To mention a specific security report by name? Who’s going

00:32:42.400 --> 00:32:46.000
to know what’s in that report off the top of their head? Strangely enough this game show

00:32:46.000 --> 00:32:51.120
had another lawsuit against them on a different episode. The contestants had an $800,000 question

00:32:51.120 --> 00:32:55.200
but got it wrong and then when they went home they looked it up and found they were actually right.

00:32:55.200 --> 00:33:00.240
They sued the game show which admitted they made a mistake and invited them back on to compete again.

00:33:00.240 --> 00:33:03.840
But neither of these contestants got anything for suing the game show

00:33:03.840 --> 00:33:09.680
because Fox cancelled the entire game show a year after it debuted. [MUSIC] A couple class

00:33:09.680 --> 00:33:13.760
actions lawsuits sprang up against RockYou, one in Indiana and the other in California.

00:33:13.760 --> 00:33:18.240
The California one went on to court and RockYou asked the judge to dismiss it entirely.

00:33:18.240 --> 00:33:22.320
RockYou was claiming that while the customer’s data was stolen, the customers couldn’t provide

00:33:22.320 --> 00:33:27.120
any evidence showing that this had caused them any harm. This is what a lot of class action lawsuits

00:33:27.120 --> 00:33:31.520
come down to after a breach; whether there’s any identifiable damage done to the customers

00:33:31.520 --> 00:33:37.040
or not. But the judge disagreed with RockYou and didn’t dismiss the case. The judge said that while

00:33:37.040 --> 00:33:42.560
there wasn’t any visible harm done to customers, there was an unidentifiable amount of harm done.

00:33:42.560 --> 00:33:47.680
The victims felt violated by having their private information exposed like that. To the judge,

00:33:47.680 --> 00:33:53.200
that was enough. RockYou settled this class action lawsuit by paying the plaintiffs $2,000 and also

00:33:53.200 --> 00:33:57.760
covering their lawyer fees. While it seems like a small amount, it kind of changed the way lawsuits

00:33:57.760 --> 00:34:02.320
were handled after this. Simply by having your personal identifying information stolen

00:34:02.320 --> 00:34:06.400
is now worth some money. It’s kind of a warning to other online companies.

00:34:06.400 --> 00:34:10.240
After that lawsuit was over, the Federal Trade Commission had a few things to add.

00:34:10.240 --> 00:34:15.920
The FTC investigated the breach and found that RockYou had stored almost 180,000 children’s

00:34:15.920 --> 00:34:20.400
records, too. These are people who are under thirteen that had accounts on RockYou’s website.

00:34:20.400 --> 00:34:24.880
When handling the children’s data, extra security precautions have to take place which fall under

00:34:24.880 --> 00:34:30.160
The Children’s Online Privacy Protection Act. The FTC determined that RockYou had known that

00:34:30.160 --> 00:34:34.960
children were users on the site and they didn’t protect their data which put them in violation

00:34:34.960 --> 00:34:39.760
of these rules. Specifically, the rules they broke were not obtaining parent’s permission

00:34:39.760 --> 00:34:43.200
before registering them to the site, and not protecting the confidentiality and

00:34:43.200 --> 00:34:48.640
security of personal identifiable information of children. Because they violated these rules,

00:34:48.640 --> 00:34:54.640
the FTC fined RockYou $250,000. Not only that, they demanded RockYou

00:34:54.640 --> 00:34:59.520
delete all information relating to children under thirteen, but they also must undergo

00:34:59.520 --> 00:35:04.480
security audits from a third party [00:35:00] every other year for the next twenty years.

00:35:04.480 --> 00:35:10.480
Violating any of this will cause even more fines. RockYou continued to build up its reputation. They

00:35:10.480 --> 00:35:14.960
purchased more game studios and made more apps after that. They hired more key people and had

00:35:14.960 --> 00:35:19.680
some fairly successful games but something about their business model didn’t work as well as they’d

00:35:19.680 --> 00:35:25.200
hope. They struggled to keep things going and had some internal failures. I started researching this

00:35:25.200 --> 00:35:30.320
story earlier this year. I went to rockyou.com’s website last month to check it out. It looked

00:35:30.320 --> 00:35:34.880
sharp, hip, trendy, and they were talking about their future. About eight months ago they got

00:35:34.880 --> 00:35:40.160
another ten million dollars in funding and they just acquired a company called Mom.me in January.

00:35:40.160 --> 00:35:43.280
They were announcing they’re going to upgrade their servers in the next coming weeks.

00:35:43.280 --> 00:35:48.880
It looked like good things were ahead for RockYou but a few weeks ago I went back to the website and

00:35:48.880 --> 00:35:56.560
it was totally down. [MUSIC] It’s been down for three weeks now. If you try to go to rockyou.com

00:35:56.560 --> 00:36:03.120
right now it says Error Connection Reset. This is odd because the site was just there last month. I

00:36:03.120 --> 00:36:07.600
turned to look for their Twitter account and it’s been deleted. Their Facebook page is also gone.

00:36:07.600 --> 00:36:13.680
It’s like their entire company vanished right in front of my eyes. I did some research and I found

00:36:13.680 --> 00:36:21.600
what’s going on. On February 13th, 2019 RockYou filed Chapter Seven bankruptcy in New York State.

00:36:21.600 --> 00:36:26.240
They seemed to have quietly closed up shop. It’s really weird because there’s just no mention of

00:36:26.240 --> 00:36:34.640
this in any tech publications or new sites at all. But from the looks of it they may be gone forever.

00:36:34.640 --> 00:36:38.960
I don’t know why the company had done so poorly in the last ten years since this breach so I’m gonna

00:36:38.960 --> 00:36:42.720
guess there were a series of other problems they faced and they just couldn’t overcome,

00:36:42.720 --> 00:36:46.480
perhaps a few bad investments or poor leadership decisions.

00:36:46.480 --> 00:36:50.400
It looks like they were running some poker and bingo games that paid out with real money

00:36:50.400 --> 00:36:55.680
but a lot of people never got paid and got mad the site shut down while owing them money. It even

00:36:55.680 --> 00:37:01.120
says in the bankruptcy documents that there’s over $500,000 in unpaid customer winnings.

00:37:01.120 --> 00:37:05.120
What happened to Tom, you might ask? I don’t know. After he posted this RockYou

00:37:05.120 --> 00:37:09.920
breach data he kept blogging for a few more days after that. Then he did an interview with a news

00:37:09.920 --> 00:37:17.120
outlet and then disappeared, seemingly forever. We don’t even know his name. He went by IGIGI on his

00:37:17.120 --> 00:37:21.680
blog post and Tom is just a name the New York Times gave him. There’s never any news of him

00:37:21.680 --> 00:37:27.520
getting caught or facing charges. Tom said in the interview, “They’re now hunting for me but why?

00:37:27.520 --> 00:37:31.920
I didn’t do anything wrong. They should now be in jail because they put all those people at risk.

00:37:31.920 --> 00:37:37.360
What I did was just for illustration.” Tom wants us to think about who the real villain is here.

00:37:37.360 --> 00:37:42.080
He thinks it wasn’t him. RockYou thinks it wasn’t them. Can you be the victim and

00:37:42.080 --> 00:37:47.200
the villain at the same time? These are good questions. I asked Troy Hunt what he thought of

00:37:47.200 --> 00:37:51.920
the punishment that RockYou got from this. TROY: It’s an interesting question because for me,

00:37:51.920 --> 00:37:56.080
particularly around things like class actions, there’s always this question of

00:37:56.080 --> 00:38:01.840
impact. If we’re talking about individuals out there that have taken part in a class action,

00:38:01.840 --> 00:38:06.560
I guess I would like to assume that in order for there to be retribution from a company

00:38:06.560 --> 00:38:12.240
there needs to have been some sort of damages. The hesitation I have with RockYou is that when we’re

00:38:12.240 --> 00:38:18.560
just talking about a whole heap of passwords not associated to individuals floating around, it’s

00:38:18.560 --> 00:38:23.920
probably very hard to draw that back and say oh, I had my identity stolen because of RockYou.

00:38:23.920 --> 00:38:28.800
Well, the only way that really makes sense is if you’re using that same password everywhere

00:38:28.800 --> 00:38:34.960
and someone guessed what it was. I’m a little bit hesitant on the class action side of thing unless

00:38:34.960 --> 00:38:42.160
there’s a really clear line of attribution back to the original incident. I’m more supportive of

00:38:42.160 --> 00:38:47.040
regulatory penalties where we have someone like the FTC being able to say look, you

00:38:47.040 --> 00:38:53.040
guys just simply didn’t do enough to protect your customers. We’re going to ping you at that level.

00:38:53.040 --> 00:38:57.120
I’m more supportive of that. If I’m honest, I’d like to say it happened a lot more.

00:38:57.120 --> 00:39:00.880
JACK: This data breach changed the way we think about password cracking even today.

00:39:00.880 --> 00:39:04.720
TROY: RockYou has sort of been one of those canonical sets of data that people have had

00:39:04.720 --> 00:39:10.720
for many, many years. I guess the interesting thing is now, a decade on, we know that people

00:39:10.720 --> 00:39:17.520
are still using the same sorts of passwords that they were back then, as well. The long-term value

00:39:17.520 --> 00:39:21.280
of RockYou is still there. JACK: For years the data Tom posted

00:39:21.280 --> 00:39:26.480
was the very best password list you could use when cracking passwords. In fact, it became so good and

00:39:26.480 --> 00:39:31.840
passed around so much that it became included in many popular hacking programs and OS’s.

00:39:31.840 --> 00:39:36.960
Even today Kali Linux, a popular hacking operation system, comes with the RockYou password list on it

00:39:36.960 --> 00:39:41.840
by default. You can find it right there in the user share words list directory. I’ve personally

00:39:41.840 --> 00:39:48.400
used this words list to crack many passwords in my time. Now, I know where it came from. Bye,

00:39:48.400 --> 00:39:54.960
Tom. Thanks for all the cracked passwords. JACK (OUTRO): [OUTRO MUSIC]

00:39:54.960 --> 00:39:59.200
You’ve been listening to Darknet Diaries. A big thanks goes to Amichai Shulman. The company he

00:39:59.200 --> 00:40:03.840
helped start, Imperva, was just [00:40:00] acquired a month ago for 2.1 billion dollars

00:40:03.840 --> 00:40:08.480
but Amichai left the company just before this acquisition. Another big thanks goes to Troy

00:40:08.480 --> 00:40:13.040
Hunt. He recommends to use a unique, complex password for every website you visit and to

00:40:13.040 --> 00:40:18.000
check haveibeenpwned.com to see if your e-mail has been seen in a breach. For show notes and

00:40:18.000 --> 00:40:22.080
links check out darknetdiaries.com. Please tell your friends about this show. It always really

00:40:22.080 --> 00:40:27.360
makes my day when I hear you do that. This show is made by me, the dark spark, Jack Rhysider. Theme

00:40:27.360 --> 00:40:34.640
music is made by the hashed and salted Breakmaster Cylinder. Look for a new episode in two weeks.