Exfiltration of Hashed Passwords From a Website

Exfiltration of Hashed Passwords From a Website

Profile picture for user LukasVileikis
Lukas Vileikis
08 July 2021

These days, data breaches happen left and right. Once they happen, it isn’t unheard of that attackers leak data. Leaked data frequently includes hashed passwords - hashed passwords essentially are passwords that are scrambled representations of themselves. Hashed passwords are created when the user provides a system with his or her password, then the system comes up with a scrambled representation of it using a set algorithm.

Algorithms can be weak or strong - for example, MD5 algorithm is prone to a hash collision weakness and it is considered to be a very vulnerable hashing algorithm (though there are worse algorithms) because it is considered a general purpose hash which means that deriving plain text values is easier than attacking, say, BCrypt or Blowfish. BCrypt or Blowfish is very commonly recommended as a safe algorithm to safe your passwords with.

Once some (or all) of your hashed passwords have been exfiltrated, the attackers will probably try to crack them - the stronger your password hashing algorithm is, the more time cracking will take, which is terrible news for attackers, but great news for us.

Once you know that you have been hacked and your passwords could have been exfiltrated, you should probably reset them for the customers (or users) of your service to not have their identities stolen in the future.

GDPR and Hashed Password Exfiltration

Hashed password exfiltration refers to a security breach that occurs when a part or all of a company’s data is accessed without authorization, then it’s copied, transferred or retrieved from a computer or a server. Afterwards, the data is frequently leaked on the web for cybercriminals to access.

Obviously, a lot of these things come down to GDPR violations - if your data is not adequately protected, the attackers will have an easier time to access it. Once the attackers have access to your data, unlawful data destruction, loss, alteration or unauthrized disclosure is very likely to happen.

If you have found that your hashed passwords (or your data in general) have been compromised and (or) exfiltrated, one of the primary things you should do, as already previously mentioned, come down to resetting all of your users’ passwords and probably recovering your data from backups.

Recovering Your Databases From Backups

If you’re using MySQL, MariaDB, Percona Server, PostgreSQL, MongoDB or even TimescaleDB, Backup Ninja can be a reliable partner in your backup journey.

After you first log in to Backup Ninja, you will be able to observe the status of your backups:

Status of Backups

This page will tell you how many backups you have running, how many of them are inactive, how many return errors, you will also be able to see backup statistics during the last 24 hours, last 7 days or the last month.

You can also view the list of scheduled backups - simply click on the Schedules link on the left side of Backup Ninja - here’s how one of your backups might look like:

View of Backups

You will be able to see the status of compression, encryption, what kind of name template your backup has, what kind of a server it runs on, when it’s scheduled to run, what method is it taken with, when it was last executed etc.

Backups in this case can also be edited (you can change the schedule details, the backup type, the server the backup runs on etc.):

Name of Schedule

You can also modify the settings of your backup if you so desire - you can change its name, enable or disable compression or encryption too:

Name Pattern

You can also schedule when the backup will run if you wish:

When will the backup run?

Scheduling your backups is also very important - especially if your data has been already exfiltrated once and you want to protect yourself from such things happening again: if an attacker, say, corrupts your data after accessing it intentionally or not and if you don’t have backups, you’re pretty much screwed. This is where the scheduling of backups in Backup Ninja can come in handy - especially if you elect to store your backups in the cloud - simply select the cloud in storage options:

Where to store backups?

Once again, define the backup name, compression and encryption options, and finally, schedule the backup on the last page:

Scheduling a Backup

Once your backup is scheduled to run monthly, weekly, daily, hourly or even minutely, you should be good to go - exfiltration of hashed passwords from a website should no longer be an issue that scares you as much!

Summary

Exfiltration of hashed passwords is never good - especially if the hashing algorithm you’ve employed is weak. Thankfully, by implementing a couple of good security practices (educating your employees about the importance of data security and other things), also by backing up your data you should put yourself (and your business) on a good path and you should be good to go.

Tags