Gamigo learned a few months ago about a breach and alerted its users that they had been attacked. But now, we see an estimated 8+ million records just went public, no small amount for the attackers. What is interesting is that by one account, hash cracking was able to decrypt over 90% of the passwords, lending credence to what David Harley recently wrote about password complexity, or the lack thereof.
Also, while it seems Gamigo took pretty proactive steps to notify users, still 8+ million username/password combinations, even in encrypted form, is a huge haul, and can add significantly to the pool of passwords for scammers to attempt new breaches.
When scammers attempt to crack leaked hashed passwords, a common method is to use a program that references a word list to try different combinations. Word lists of this type are freely available online, and some scammers even bundle multiple lists and make them available, sometimes at a fee. While the original list in the Gamigo breach claimed to hold close to 12 million username/password combination, after de-duplicating the data, it seems the real number of unique combinations is closer to 8 million. But adding an additional 8 million password combinations to the already existing lists (some in the tens of millions), can give scammers quite a leg up on future exploits.
What to do? Well, if Mr. Harley’s blog is at all accurate, and the most common passwords he listed are indeed king, changing your password to something stronger seems to be the best first step, and a cheap piece of insurance. Also, there are sites online that allow you to check to see if your credentials are available on any of the wordlists. That might be worth your time as well.
The weak link here is that a person who uses a weak password, probably also re-uses it across multiple services, spreading the scope of their attackable surface substantially. Also, if scammers get into one account, then can get other personal information that would help them with the challenge questions on your other accounts, so the chain of nastiness may just be starting for unwary users.
Still, Gamigo did the right thing notifying users, and we’re sorry to see the whole list actually did make it into the public arena. So now might be a good time to revisit Mr. Harley’s advice, before it’s too late.
Hat tip to Forbes for their article on the subject.
Author Cameron Camp, ESET