Leaked Accounts

Published on August 29, 2017 08:00 UTC by GovCERT.ch (permalink)
Last updated on August 29, 2017 08:00 UTC

MELANI/GovCERT has been informed about potentially leaked accounts that are in danger of being abused. MELANI/GovCERT provides a tool for checking whether your account might be affected: https://checktool.ch

We would like to give some technical information about the tool:

  • We only transfer a SHA256 hash that is created on the client side using JavaScript. Thus we don't know the queried eMail addresses or account name.
  • No eMail addresses or account names are stored on the server, just the hashes.
  • All traffic is being transferred using SSL/TLS.

If we get additional eMail addresses or account names from other sources, we are going to update the database and inform about it using this blog and Twitter. If you have any technical questions, do not hesitate to contact us at outreach [at] govcert [dot] ch or via Twitter: https://twitter.com/GovCERT_CH.


Q: Why do we use Cloudflare?
A: We considered the risk of DDoS attacks to be very high. Cloudflare is an experienced DDoS mitigation provider. We decided to use a DDoS mitigation provider, not only for the protection of the tool itself, but also for the ISP where our server is located.

Q: Does that mean that the server is located in an US cloud?
A: No, the server with the hashes is located in Switzerland. We just use Cloudflares network for DDoS mitigation. The IP address you see, when doing a lookup is the front-end server in the cloudflare network. This server does not store any data, but passes the requests to our backend system.

Q: Who does have access to the actual eMail addresses or account names?
A: No one except us. The eMail addresses and account names provided to us, are not on the server. We just stored the hashes on the server. Only hashes are transferred from the client to server. If you enter the eMail address or account name, it is immediately hashed on the client side and never stored.

Q: Why can’t I search for a whole domain or with a wildcard?
A: We did not store eMail addresses or account names on the system, only hashes. This makes a wildcard search impossible by design. Apart from that, we have privacy concerns, if one can basically have a look at all eMail addresses or account names. If a provider or organization would like to have a search for a whole domain, we can do that offline. Please provide some proof that you are really responsible for the domain.

Q: Why did you do this? Why did you not just pass the information to a site like haveibeenpwned.com?
A: We were not in the position to pass the raw data to another organization.

Q: For how long did you know about this data?
A: We received the dataset last week.

Q: What else do you have to say?
A: Always use good passwords (long enough), choose different passwords for every account, use a 2 factor authentication whenever possible.

Back to top