If you've ever signed up to Freelancer.com to make a quick buck farming out your skills, you might have an unexpected benefit: the tech team at Freelancer has reached out to users whose credentials they've found on public lists of third-party data breaches, both to prompt them to reset their passwords and to check which other sites they'd been compromised on.
First up, Freelancer makes it explicitly clear that there was no compromise of its own security on "any Freelancer.com operated web property", but instead has verified that some of its users have details shared with "Currently, the "mega lists" of compromised accounts from third-party websites have over 3.8 billion entries and include leaks from websites including Linkedin, Elance, Dropbox and Adobe." Statistically, with a ballpark estimate of around 6.3 billion email addresses in existence, there's a pretty damn good chance that many Freelancer.com users were contacted.
As well as resetting their passwords, Freelancer's affected users were also told to check haveibeenpwned.com to find where their details have been breached and publicly listed.
Freelancer's vice president of security and operations Nicholas de Jong told Gizmodo that Freelancer was checking its own user credential databases against existing third-party leaks publicly available on the 'net — something it does proactively as good security practice. "Recently while cross-checking public dumps of third party credential leaks from sites like Adobe, Linkedin and Elance (and many more), we observed users that appear to have credentials in common with those dumps and thus took measures to protect our users affected."
Freelancer reset the password of any user whose credentials were in the lists they cross-checked against, and contacted them with a form email with a one-time link to create a new password. de Jong said its testing was with email addresses and plain-text passwords, rather than users' unique usernames: "Our testing was against the third-party leaked email-addresses and plain-text passwords — usernames make no sense at scale, as they'd have too many namespace collisions — which in turn produces too much noise."
One of the largest caches of (unverified) email addresses and multiple associated passwords is on a site called Exploit.In, a site that security researcher Troy Hunt demonstrates many users re-use the same passwords — and email addresses, obviously — on multiple websites. Using a method called credential stuffing, attackers can attempt a variant of a brute force attack that automates input of known usernames and different cracked passwords on different websites, a scattershot approach that may yield another compromised account to be added to the list.
Freelancer stores its user credentials using Bcrypt, a powerful encryption tool that hashes salted passwords in several encryption rounds. de Jong says it's "expensive" to brute force — a reminder that no password is uncrackable, but some are easier to break than other. The company's advice, though, is straightforward: "Consider using a password manager, use a different password everywhere!" [Freelancer]