Edmodo Data Breach Analysis

Preface

Edmodo, an educational technology company offering a communication, collaboration and coaching platform to K-12 schools and teachers, suffered a data breach in the spring of 2017. The stolen data includes usernames, email addresses and passwords. After the company found out about the data breach, they contracted third party cybersecurity experts to conduct a full analysis to determine how the hackers managed to access their system.

What data is at risk?

The breached Edmodo data includes IDs, usernames, email addresses and hashed and salted passwords. There are exactly 77,039,863 ID, username and email records – the whole database has 77,248,517 records meaning that we can make an assumption that the hash and salt fields have 208,654 records more.

Usernames

In this data breach, there are 504 records with empty username fields – these records do not have email addresses associated with them either, but they do have passwords. It could be that these accounts had those attributes, but were chosen to be deleted from the system, and instead of deleting entire rows, Edmodo simply chose to delete other data attributes leaving only IDs and passwords in the database. Perhaps it could have been a measure to log in the user by using Simple Sign On (SSO) – by using such a property a user could login with his user ID and a password to gain access to any of several related systems: as Edmodo is a cloud-based learning management application, that would make sense.

Here’s the letters that usernames begin with:

#Letter that a username begins withUser count
1a4,922,727
2b2,096,025
3c3,110,247
4d2,527,984
5e1,865,287
6f1,185,165
7g1,424,801
8h1,345,874
9i1,056,430
10j3,964,428
11k2,457,254
12l2,365,989
13m4,455,507
14n1,694,399
15o494,123
16p1,475,123
17q191,028
18r2,140,257
19s3,949,875
20t1,945,199
21u253,171
22v845,521
23w760,843
24x276,044
25y729,145
26z510,445

We can see that:

  • The most prevalent letter – a – has been used 4,922,727 times – that’s approximately 6.37% of Edmodo users;
  • The letter a is followed by the letter m – the letter m has been used by approximately 5.77% of Edmodo users;
  • The letter m is followed by the letter s – the letter s has been used by approxmately 5.11% of Edmodo users;
  • The letter s is followed by the letter j – the letter j has been used by approximately 5.13% of Edmodo users;
  • The letter j is followed by the letter c – the letter c has been used by approximately 4.03% of Edmodo users.

The five most prevalent letters combined consume a little above a quarter – approximately 26.41% of Edmodo’s user base.

Judging from the analysis, we can see that the least prevalent letter is q – the letter q has been used by approximately 0.25% of Edmodo users.

Here’s the numbers that usernames begin with:

Number that a username begins withUser count
0517,760
11,442,167
2835,546
3439,890
4347,110
5303,248
6229,003
7240,434
8220,547
9278,843

We can see that the most prevalent number is 1 and the least prevalent number is 8 – the numbers have been used by 1.87% and 0.29% of Edmodo users respectively.

Email addresses

Here’s the top 100 most frequently used email domains by Edmodo users:

#Email DomainUser countPurpose / Country
133,044,473None
2gmail.com15,806,574Commercial / United States
3hotmail.com7,549,528Commercial / United States
4yahoo.com6,087,578Commercial / United States
5aol.com455,198Commercial / United States
6yahoo.co.id416,907Indonesia
7outlook.com398,350Commercial / United States
8live.com354,372Commercial / United States
9ymail.com347,700Commercial / United States
10icloud.com283,111Commercial / United States
11hotmail.es217,006Spain
12comcast.net159,545Network Infrastructure
13hotmail.co.uk154,569United Kingdom
14rocketmail.com128,987Commercial / United States
15students.ocps.net111,647Network Infrastructure
16charterschoolsusa.com105,010Commercial / United States
17education.nsw.gov.au101,821Government
18qq.com94,113Commercial / United States
19ccpsnet.net86,486Network Infrastructure
20yahoo.es82,201Spain
21me.com75,712Commercial / United States
22msn.com75,643Commercial / United States
23live.com.mx74,481Mexico
24outlook.es70,691Spain
25att.net69,316Network Infrastructure
26libero.it68,869Italy
27sbcglobal.net66,498Network Infrastructure
28mail.ru63,589Russia
29HOTMAIL.COM62,252Commercial / United States
30verizon.net59,871Network Infrastructure
31hotmail.it58,556Italy
32naver.com58,078Commercial / United States
33GMAIL.COM57,753Commercial / United States
34edmodo.com54,696Commercial / United States
35email.com50,426Commercial / United States
36det.nsw.edu.au49,201Education
37bellsouth.net48,169Network Infrastructure
38cps.edu45,591Education
39Gmail.com45,216Commercial / United States
40yahoo.co.uk44,138United Kingdom
41facebook.com43,879Commercial / United States
42gamil.com43,853Commercial / United States
43yahoo.com.mx43,161Mexico
44yahoo.com.ar42,007Argentina
45hotmail.com.ar41,620Argentina
46cox.net41,348Network Infrastructure
47hotmail.fr41,230France
48mail.com39,805Commercial / United States
49yahoo.com.ph37,512The Philippines
50k12.sd.us36,330Commercial / United States
51aim.com35,887Commercial / United States
52live.cvesd.org32,078Organization
53live.co.uk31,892United Kingdom
54yahoo.ca31,633Canada
55student.gccisd.net30,538Network Infrastructure
56YAHOO.COM29,713Commercial / United States
57gmai.com29,407Commercial / United States
58hotmail.ca25,543Canada
59pgcps.org25,477Organization
60cvusd.us25,378Commercial / United States
61bigpond.com24,727Commercial / United States
62yahoo.com.br24,202Brazil
63hotmail.co.th22,346Thailand
64live.com.ar22,157Argentina
65yahoo.it21,547Italy
66live.ca21,369Canada
67live.it20,323Italy
68alice.it20,319Italy
69yahoo.com.sg20,162Singapore
70yahoo.com.au19,954Australia
71yahoo.fr19,088France
72richland2.org19,001Organization
73gmail.co18,945None, probably misspelled
74charter.net18,842Network Infrastructure
75s.dcsdk12.org18,648Organization
76btinternet.com18,368Commercial / United States
77163.com17,876Commercial / United States
78googlemail.com17,738Commercial / United States
79windowslive.com17,725Commercial / United States
80live.com.au17,706Australia
81sinadep.org.mx17,229Mexico
82hotmai.com16,772Commercial / United States
83edumail.vic.gov.au16,616Government
84interact.ccsd.net15,439Network Infrastructure
85Hotmail.com15,261Commercial / United States
86yahoo.com.tw15,007Taiwan
87yahoo.com.hk14,548Hong Kong
88Yahoo.com14,247Commercial / United States
89gmil.com14,160Commercial / United States
90wcpss.net13,899Network Infrastructure
91optonline.net13,891Network Infrastructure
92dadeschools.net13,809Network Infrastructure
93virgilio.it13,650Italy
94rogers.com13,640Commercial / United States
95gmail.con13,425None, probably misspelled
96bluevalleyk12.net13,273Network Infrastructure
97class.lps.org13,004Organization
98gaggle.net12,778Network Infrastructure
99ocps.net12,722Network Infrastructure
100tiscali.it12,399Italy

If we would sum up the users with associated countries, we would see that:

  • There were 32,545,063 users who registered from domains that were associated either with commercial things or the United States – they would consume approximately 42.39% of the entire user base;
  • There were 416,907 users who registered from domains that were associated with Indonesia – they would consume approximately 0.54% of the entire user base;
  • There were 369,898 users who registered from domains that were associated with Spain – they would consume approximately 0.48% of the entire user base;
  • There were 230,599 users who registered from domains that were associated with the United Kingdom – they would consume approximately 0.30% of the entire user base;
  • There were 215,663 users who registered from domains that were associated with Italy – they would consume approximately 0.28% of the entire user base;
  • There were 105,784 users who registered from domains that were associated with Argentina – they would consume approximately 0.14% of the entire user base;
  • There were 78,545 users who registered from domains that were associated with Canada – they would consume approximately 0.10% of the entire user base;
  • There were 37,660 users who users who registered from domains that were associated with Australia – they would consume approximately 0.05% of the entire user base;
  • There were 24,202 users who users who registered from domains that were associated with Brazil – they would consume approximately 0.03% of the entire user base;
  • There were 22,346 users who users who registered from domains that were associated with Thailand – they would also consume approximately 0.03% of the entire user base.

We can take a look at email addresses that begin with letters:

#The letter that an email address begins withUser count
1a4,177,039
2b1,617,909
3c2,440,735
4d2,158,671
5e1,508,873
6f1,022,878
7g1,190,749
8h1,004,437
9i813,638
10j3,034,518
11k1,807,369
12l2,053,627
13m3,716,961
14n1,448,014
15o407,113
16p1,278,578
17q90,056
18r1,898,765
19s3,051,807
20t1,544,602
21u137,093
22v675,295
23w580,737
24x130,296
25y585,655
26z335,051

We can see that:

  • The most prevalent letter is a followed by the letter m;
  • The letter m is followed by the letter s;
  • The letter s is followed by the letter j;
  • The letter j is followed by the letter c;
  • The least prevalent letter is q.

We can also take a look at email addresses that begin with numbers:

The number that an email address begins withUser count
090,119
1612,044
2256,276
3129,773
4181,148
551,321
646,337
749,532
843,364
951,916

Here the most prevalent number is 1, the least prevalent number is 8.

Summary

The Edmodo data breach, while pretty worrying at first, was not that bad after all – even though more than 77 million people were put at risk, Edmodo had hashed their passwords with a very strong BCrypt password hashing algorithm and they also salted their customers’ passwords making bulk password cracking not worth the time for potential attackers.

Leave a Reply

Your email address will not be published. Required fields are marked *