Edmodo Data Breach Analysis
Preface
Edmodo, an educational technology company offering a communication, collaboration and coaching platform to K-12 schools and teachers, suffered a data breach in the spring of 2017. The stolen data includes usernames, email addresses and passwords. After the company found out about the data breach, they contracted third party cybersecurity experts to conduct a full analysis to determine how the hackers managed to access their system.
What data is at risk?
The breached Edmodo data includes IDs, usernames, email addresses and hashed and salted passwords. There are exactly 77,039,863 ID, username and email records – the whole database has 77,248,517 records meaning that we can make an assumption that the hash and salt fields have 208,654 records more.
Usernames
In this data breach, there are 504 records with empty username fields – these records do not have email addresses associated with them either, but they do have passwords. It could be that these accounts had those attributes, but were chosen to be deleted from the system, and instead of deleting entire rows, Edmodo simply chose to delete other data attributes leaving only IDs and passwords in the database. Perhaps it could have been a measure to log in the user by using Simple Sign On (SSO) – by using such a property a user could login with his user ID and a password to gain access to any of several related systems: as Edmodo is a cloud-based learning management application, that would make sense.
Here’s the letters that usernames begin with:
| # | Letter that a username begins with | User count |
|---|---|---|
| 1 | a | 4,922,727 |
| 2 | b | 2,096,025 |
| 3 | c | 3,110,247 |
| 4 | d | 2,527,984 |
| 5 | e | 1,865,287 |
| 6 | f | 1,185,165 |
| 7 | g | 1,424,801 |
| 8 | h | 1,345,874 |
| 9 | i | 1,056,430 |
| 10 | j | 3,964,428 |
| 11 | k | 2,457,254 |
| 12 | l | 2,365,989 |
| 13 | m | 4,455,507 |
| 14 | n | 1,694,399 |
| 15 | o | 494,123 |
| 16 | p | 1,475,123 |
| 17 | q | 191,028 |
| 18 | r | 2,140,257 |
| 19 | s | 3,949,875 |
| 20 | t | 1,945,199 |
| 21 | u | 253,171 |
| 22 | v | 845,521 |
| 23 | w | 760,843 |
| 24 | x | 276,044 |
| 25 | y | 729,145 |
| 26 | z | 510,445 |
We can see that:
- The most prevalent letter – a – has been used 4,922,727 times – that’s approximately 6.37% of Edmodo users;
- The letter a is followed by the letter m – the letter m has been used by approximately 5.77% of Edmodo users;
- The letter m is followed by the letter s – the letter s has been used by approxmately 5.11% of Edmodo users;
- The letter s is followed by the letter j – the letter j has been used by approximately 5.13% of Edmodo users;
- The letter j is followed by the letter c – the letter c has been used by approximately 4.03% of Edmodo users.
The five most prevalent letters combined consume a little above a quarter – approximately 26.41% of Edmodo’s user base.
Judging from the analysis, we can see that the least prevalent letter is q – the letter q has been used by approximately 0.25% of Edmodo users.
Here’s the numbers that usernames begin with:
| Number that a username begins with | User count |
|---|---|
| 0 | 517,760 |
| 1 | 1,442,167 |
| 2 | 835,546 |
| 3 | 439,890 |
| 4 | 347,110 |
| 5 | 303,248 |
| 6 | 229,003 |
| 7 | 240,434 |
| 8 | 220,547 |
| 9 | 278,843 |
We can see that the most prevalent number is 1 and the least prevalent number is 8 – the numbers have been used by 1.87% and 0.29% of Edmodo users respectively.
Email addresses
Here’s the top 100 most frequently used email domains by Edmodo users:
| # | Email Domain | User count | Purpose / Country |
|---|---|---|---|
| 1 | 33,044,473 | None | |
| 2 | gmail.com | 15,806,574 | Commercial / United States |
| 3 | hotmail.com | 7,549,528 | Commercial / United States |
| 4 | yahoo.com | 6,087,578 | Commercial / United States |
| 5 | aol.com | 455,198 | Commercial / United States |
| 6 | yahoo.co.id | 416,907 | Indonesia |
| 7 | outlook.com | 398,350 | Commercial / United States |
| 8 | live.com | 354,372 | Commercial / United States |
| 9 | ymail.com | 347,700 | Commercial / United States |
| 10 | icloud.com | 283,111 | Commercial / United States |
| 11 | hotmail.es | 217,006 | Spain |
| 12 | comcast.net | 159,545 | Network Infrastructure |
| 13 | hotmail.co.uk | 154,569 | United Kingdom |
| 14 | rocketmail.com | 128,987 | Commercial / United States |
| 15 | students.ocps.net | 111,647 | Network Infrastructure |
| 16 | charterschoolsusa.com | 105,010 | Commercial / United States |
| 17 | education.nsw.gov.au | 101,821 | Government |
| 18 | qq.com | 94,113 | Commercial / United States |
| 19 | ccpsnet.net | 86,486 | Network Infrastructure |
| 20 | yahoo.es | 82,201 | Spain |
| 21 | me.com | 75,712 | Commercial / United States |
| 22 | msn.com | 75,643 | Commercial / United States |
| 23 | live.com.mx | 74,481 | Mexico |
| 24 | outlook.es | 70,691 | Spain |
| 25 | att.net | 69,316 | Network Infrastructure |
| 26 | libero.it | 68,869 | Italy |
| 27 | sbcglobal.net | 66,498 | Network Infrastructure |
| 28 | mail.ru | 63,589 | Russia |
| 29 | HOTMAIL.COM | 62,252 | Commercial / United States |
| 30 | verizon.net | 59,871 | Network Infrastructure |
| 31 | hotmail.it | 58,556 | Italy |
| 32 | naver.com | 58,078 | Commercial / United States |
| 33 | GMAIL.COM | 57,753 | Commercial / United States |
| 34 | edmodo.com | 54,696 | Commercial / United States |
| 35 | email.com | 50,426 | Commercial / United States |
| 36 | det.nsw.edu.au | 49,201 | Education |
| 37 | bellsouth.net | 48,169 | Network Infrastructure |
| 38 | cps.edu | 45,591 | Education |
| 39 | Gmail.com | 45,216 | Commercial / United States |
| 40 | yahoo.co.uk | 44,138 | United Kingdom |
| 41 | facebook.com | 43,879 | Commercial / United States |
| 42 | gamil.com | 43,853 | Commercial / United States |
| 43 | yahoo.com.mx | 43,161 | Mexico |
| 44 | yahoo.com.ar | 42,007 | Argentina |
| 45 | hotmail.com.ar | 41,620 | Argentina |
| 46 | cox.net | 41,348 | Network Infrastructure |
| 47 | hotmail.fr | 41,230 | France |
| 48 | mail.com | 39,805 | Commercial / United States |
| 49 | yahoo.com.ph | 37,512 | The Philippines |
| 50 | k12.sd.us | 36,330 | Commercial / United States |
| 51 | aim.com | 35,887 | Commercial / United States |
| 52 | live.cvesd.org | 32,078 | Organization |
| 53 | live.co.uk | 31,892 | United Kingdom |
| 54 | yahoo.ca | 31,633 | Canada |
| 55 | student.gccisd.net | 30,538 | Network Infrastructure |
| 56 | YAHOO.COM | 29,713 | Commercial / United States |
| 57 | gmai.com | 29,407 | Commercial / United States |
| 58 | hotmail.ca | 25,543 | Canada |
| 59 | pgcps.org | 25,477 | Organization |
| 60 | cvusd.us | 25,378 | Commercial / United States |
| 61 | bigpond.com | 24,727 | Commercial / United States |
| 62 | yahoo.com.br | 24,202 | Brazil |
| 63 | hotmail.co.th | 22,346 | Thailand |
| 64 | live.com.ar | 22,157 | Argentina |
| 65 | yahoo.it | 21,547 | Italy |
| 66 | live.ca | 21,369 | Canada |
| 67 | live.it | 20,323 | Italy |
| 68 | alice.it | 20,319 | Italy |
| 69 | yahoo.com.sg | 20,162 | Singapore |
| 70 | yahoo.com.au | 19,954 | Australia |
| 71 | yahoo.fr | 19,088 | France |
| 72 | richland2.org | 19,001 | Organization |
| 73 | gmail.co | 18,945 | None, probably misspelled |
| 74 | charter.net | 18,842 | Network Infrastructure |
| 75 | s.dcsdk12.org | 18,648 | Organization |
| 76 | btinternet.com | 18,368 | Commercial / United States |
| 77 | 163.com | 17,876 | Commercial / United States |
| 78 | googlemail.com | 17,738 | Commercial / United States |
| 79 | windowslive.com | 17,725 | Commercial / United States |
| 80 | live.com.au | 17,706 | Australia |
| 81 | sinadep.org.mx | 17,229 | Mexico |
| 82 | hotmai.com | 16,772 | Commercial / United States |
| 83 | edumail.vic.gov.au | 16,616 | Government |
| 84 | interact.ccsd.net | 15,439 | Network Infrastructure |
| 85 | Hotmail.com | 15,261 | Commercial / United States |
| 86 | yahoo.com.tw | 15,007 | Taiwan |
| 87 | yahoo.com.hk | 14,548 | Hong Kong |
| 88 | Yahoo.com | 14,247 | Commercial / United States |
| 89 | gmil.com | 14,160 | Commercial / United States |
| 90 | wcpss.net | 13,899 | Network Infrastructure |
| 91 | optonline.net | 13,891 | Network Infrastructure |
| 92 | dadeschools.net | 13,809 | Network Infrastructure |
| 93 | virgilio.it | 13,650 | Italy |
| 94 | rogers.com | 13,640 | Commercial / United States |
| 95 | gmail.con | 13,425 | None, probably misspelled |
| 96 | bluevalleyk12.net | 13,273 | Network Infrastructure |
| 97 | class.lps.org | 13,004 | Organization |
| 98 | gaggle.net | 12,778 | Network Infrastructure |
| 99 | ocps.net | 12,722 | Network Infrastructure |
| 100 | tiscali.it | 12,399 | Italy |
If we would sum up the users with associated countries, we would see that:
- There were 32,545,063 users who registered from domains that were associated either with commercial things or the United States – they would consume approximately 42.39% of the entire user base;
- There were 416,907 users who registered from domains that were associated with Indonesia – they would consume approximately 0.54% of the entire user base;
- There were 369,898 users who registered from domains that were associated with Spain – they would consume approximately 0.48% of the entire user base;
- There were 230,599 users who registered from domains that were associated with the United Kingdom – they would consume approximately 0.30% of the entire user base;
- There were 215,663 users who registered from domains that were associated with Italy – they would consume approximately 0.28% of the entire user base;
- There were 105,784 users who registered from domains that were associated with Argentina – they would consume approximately 0.14% of the entire user base;
- There were 78,545 users who registered from domains that were associated with Canada – they would consume approximately 0.10% of the entire user base;
- There were 37,660 users who users who registered from domains that were associated with Australia – they would consume approximately 0.05% of the entire user base;
- There were 24,202 users who users who registered from domains that were associated with Brazil – they would consume approximately 0.03% of the entire user base;
- There were 22,346 users who users who registered from domains that were associated with Thailand – they would also consume approximately 0.03% of the entire user base.
We can take a look at email addresses that begin with letters:
| # | The letter that an email address begins with | User count |
|---|---|---|
| 1 | a | 4,177,039 |
| 2 | b | 1,617,909 |
| 3 | c | 2,440,735 |
| 4 | d | 2,158,671 |
| 5 | e | 1,508,873 |
| 6 | f | 1,022,878 |
| 7 | g | 1,190,749 |
| 8 | h | 1,004,437 |
| 9 | i | 813,638 |
| 10 | j | 3,034,518 |
| 11 | k | 1,807,369 |
| 12 | l | 2,053,627 |
| 13 | m | 3,716,961 |
| 14 | n | 1,448,014 |
| 15 | o | 407,113 |
| 16 | p | 1,278,578 |
| 17 | q | 90,056 |
| 18 | r | 1,898,765 |
| 19 | s | 3,051,807 |
| 20 | t | 1,544,602 |
| 21 | u | 137,093 |
| 22 | v | 675,295 |
| 23 | w | 580,737 |
| 24 | x | 130,296 |
| 25 | y | 585,655 |
| 26 | z | 335,051 |
We can see that:
- The most prevalent letter is a followed by the letter m;
- The letter m is followed by the letter s;
- The letter s is followed by the letter j;
- The letter j is followed by the letter c;
- The least prevalent letter is q.
We can also take a look at email addresses that begin with numbers:
| The number that an email address begins with | User count |
|---|---|
| 0 | 90,119 |
| 1 | 612,044 |
| 2 | 256,276 |
| 3 | 129,773 |
| 4 | 181,148 |
| 5 | 51,321 |
| 6 | 46,337 |
| 7 | 49,532 |
| 8 | 43,364 |
| 9 | 51,916 |
Here the most prevalent number is 1, the least prevalent number is 8.
Summary
The Edmodo data breach, while pretty worrying at first, was not that bad after all – even though more than 77 million people were put at risk, Edmodo had hashed their passwords with a very strong BCrypt password hashing algorithm and they also salted their customers’ passwords making bulk password cracking not worth the time for potential attackers.