Lessons from the Hookers.nl breach: cracking 57% of the passwords in three days
Dutch website Hookers.nl — used by prostitutes, escorts and their customers — had been hacked. The site’s user database was stolen and is actively being traded in the underground, and sold for about 2 Euros. The dump contains data of — among others — employees of Dutch governmental intuitions like the department of defense, foreign affairs and law enforcement. Since data is now within virtually anyone’s reach, we expect scams to blackmail users soon.
Hookers.nl publicly stated that passwords were not stolen. Strictly speaking this is true: the database does not contain plain text passwords but hashed passwords. Scattered Secrets was able to crack 57% of the password hashes in three days. This is our story.
Hookers.nl uses commercial forum software named vBulletin. This software package exists since 2000. The current version — as used by Hookers.nl — is 5.5.4. On 23 September a so called 0day exploit was posted on the ‘Full Disclosure’ mailing list. A 0day is a weakness with no known fix. This specific exploit worked against all 5.x versions of vBulletin. This meant that all installations of vBulletin 5, on a global scale, could be hacked.
Using off the shelf scanning tools, it is easy to perform an automated global inventory scan. Within hours to days, all websites worldwide can be queried to see if they are running vBulletin 5. If they do, the 0day exploit can be launched and the forum’s underlying database content can be stolen. Hookers.nl was hacked this way on 25 or 26 September 2019, probably fully automated. The Hookers.nl dataset we have received contains 292,853 user accounts. We assume that the data is genuine but cannot guarantee correctness nor completeness.
Hookers.nl is a public forum. A lot of data can be accessed anonymously: confidentiality of posts is not an issue. Posts are made using nicknames. Most users assume that they can post anonymously. However, with access to the database content it is possible to link a nickname to the email address that was used for registration. In many cases the email address can be related to a person. Those users might be blackmailed: ‘pay us or else..’. The raw database contains all information a blackmailer needs, in unencrypted form, including emails and IP addresses. This is not specific to Hookers.nl; the vBulletin software just works this way. Plain text user passwords are not stored: instead a so called ‘password hash’ is used.
Cracking password hashes — to retrieve the plain text password — can be interesting for attackers. Many people use (variants of) a single password for several services. If you can crack their Hookers.nl password, you might be able to breach their other accounts as well.
The good news is that cracking password hashes takes time and effort. The bad news is that cracking password hashes from a database dump is an offline process. This means that limitations of the online website — like waiting for a few minutes or solving a CAPTCHA after a defined number of unsuccessful logon attempts — do not apply. If the password hashes leaked to the outside world, there is no way to stop an offline password cracking attack.
The password hashes
As a password breach notification and prevention service, Scattered Secrets is interested in the plain text passwords of data breaches. So how do we crack the Hookers.nl password hashes?
First of all we need to know what password algorithm is used. The documentation tells us that vBulletin version 5 uses bcrypt by default. Cracking bcrypt hashes is a slow process: bcrypt is one of the best options for protecting passwords. However, vBulletin 5 was released in 2012 and according to their website, Hookers.nl is online since 2002. Using basic internet archaeology, it is not difficult to find out that Hookers.nl used vBulletin pre-5 versions in the past as well. These versions used easier to crack password hashes: salted MD5. Effectively this means that there are two types of password hashes: legacy (pre 2012) and bcrypt (2012 and later). The legacy hashes — typically users that have been inactive for some time — are significantly easier to crack than the bcrypt ones. The dataset we have received contains 292,853 user accounts: 241,547 (82.5%) legacy hashes and 49,324 (16.8%) bcrypt based hashes. The rest of the records do not contain valid email addresses and were discarded.
Secondly, we can work out what type of cracking approaches look promising. This is based on the effort required for specific password cracking techniques. Both legacy and recent versions of vBulletin use a mechanism called password salting. Cracking legacy vBulletin hashes is significantly faster than modern hashes, in this case 16,666,667:1 (~12.5G versus 750 attempts per second on an Nvida RTX 2080 Ti, bcrypt ‘work factor’ is 10). The significant difference means that it is way easier to crack legacy hashes. Practically it means that legacy passwords can be cracked using generic cracking hardware, and that cracking bcrypt hashes takes enormous amounts of computing power: about 16 million times more effort per hash. For the ~50k of Hookers.nl bcrypt hashes it would mean that trying all six position passwords already takes about 27 years (93⁶ / 750 / 86,400 / 365).
At Scattered Secrets we see a lot of breaches containing bcrypt hashes. To speed cracking up, we run a cluster of specialized bcrypt crackers. The crackers do not use the de facto standard Graphics Processing Units (‘GPU’, as used in gaming PCs) for cracking, but Field Programmable Gate Arrays (‘FPGA’, specialized hardware). This means that a single one of our servers matches or even beats the computing power of a full height server rack (180 cm / 6 feet high) filled with high-end conventional GPU based password crackers.
To attack the Hookers.nl hashes, we have used one cracker with generic computing power for the legacy accounts. One specialized cracker was used to crack the bcrypt hashes. The total time of the cracking session was three days.
With limited effort and basic attack techniques we were able to crack 154,653 legacy (64%) and 11,675 bcrypt (24%) passwords. This makes a total of 166,328 out of 290,871 (57%).
The top 35:
The seemingly random passwords caught our attention, like #1: ‘vRbGQnS997’. The associated email addresses have the same destination with a different notation (e.g. email@example.com, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org etc.) or use
The other passwords match what we see in other datasets: all time favorites (‘123456’, ‘password’ etc.), cities, soccer clubs, cars and the name of and things related to the website. One thing that stands out: #6 versus #14, ‘querty’ versus ‘azerty’. It seems that a lot of Belgian and French visitors registered, since the AZERTY keyboard layout is mainly used in those two countries.
Not in the top 35 but worth mentioning:
Nearly a hundred users use a 10 digit password that matches the syntax of a Dutch cell phone number.
Cracked accounts include— among others — users from domains of Dutch governmental intuitions like the department of defense, foreign affairs and law enforcement.
Analysis of IP addresses shows that many of those users visit Hookers.nl from work.
The hack of Hookers.nl got a lot of media attention because of the sensitive nature of their data. Many other services using the same forum software also got hacked. In the case of this specific vBulletin exploit, forum owners had no way of protecting themselves since there were no updates available. As a result, your personal information might be stolen elsewhere as well. With market prices of recent datasets including Hookers.nl as low as a few Euros, the data is within virtually anyone’s reach.
data of various hacked vBulletin forums available for download
Blackmailing is possible without additional effort: expect blackmail scam demands soon. If this is the case for you personally: contact law enforcement and follow their instructions.
Over 80% of the Hookers.nl passwords are hashed using a legacy algorithm. Cracking legacy password hashes is within reach of everyone with a decent gaming PC. To crack a significant percentage of the modern hashes, specialized equipment is required.
If you are using (variants of) the same password for several services: update your passwords as soon as possible. To stay as safe as possible in the future: use long (≥12 positions) and unique passwords (completely unrelated) for all your accounts.
Scattered Secrets ♥ passwords ;) Don’t forget to check if your passwords are breached! Want to know more? Contact Dennis Nuijens.