Michael says the hackers kept coming back to him to ask if he was sure about the parameters he used. At a certain point, however, the man found other passwords that he had generated with RoboForm in 2013, which in two cases they had no special characters. So, Grand and his collaborator adjusted the aim. Last November they contacted Michael to arrange an in-person meeting: “I thought, ‘Oh my God, they’re going to ask me again if I’m sure about the parameters.’“. Instead, the two revealed to him that they had finally found the correct password, which actually had no special characters. It was generated on May 15, 2013, at 16:10:40 GMT. “In the end our luck was that the our parameters and time interval were correct. If any of these had been wrong, we would have continued to guess or shoot without much success – explains Grand a Wired US –. It would have taken much longer to try all possible passwords“. The hackers uploaded a video to Youtube in which they explained all the technical details of the feat.
The password generator
RoboForma software produced by the American Siber Systems, was one of the first password managers on the market and currently has more than 6 million users worldwide, according to a company report. In 2015, Siber appears to have fixed the imperfections of its system. In fact, Grand and Bruno explain that later versions of the program don’t seem to associate passwords with the computer’s date. Siber Systems confirmed a Wired US that they fixed the problem with version 7.9.14 of RoboForm released on June 10, 2015, although a company spokesperson declined to explain how. In a changelog on the company’s website, we only read that Siber programmers have made changes to “increase the randomness of generated passwords”.
Grand explained that i cybercriminals could still trace the passwords of RoboForm versions released before the 2015 fix. Furthermore, it is not entirely certain that current versions no longer contain the same problem. “I don’t think I would trust itwithout knowing how they actually improved password generation in newer versions – says the hacker –. I’m not even sure RoboForm knew how serious this particular weakness was“. Apparently, in fact, when it released version 7.9.14 in 2015, Siber never communicated to its users that they would have to generate new passwords. This means that all those like Michael who used RoboForm to generate passwords before 2015 could be vulnerable to cyber attacks.
“Most people don’t change their passwords unless explicitly asked – says Grand –. The same goes for me: dOf the 935 passwords in my password manager (which is not RoboForm), 220 are from 2015 or earlier, and most are from sites I still use”. Last November, Grand and Bruno deducted a percentage of the bitcoins recovered from Michael’s account as compensation for their work, and then gave him the password to access his wallet. Now man possesses 30 Btc, worth $3 millionand says he was lucky to have lost his password years ago, because otherwise he would have sold his bitcoins when they were worth 40 thousand dollars a piece, missing out on a great profit.
This article previously appeared on Wired Us.
