Edmodo Data Breach Analysis

Preface

Edmodo, an educational technology company offering a communication, collaboration and coaching platform to K-12 schools and teachers, suffered a data breach in the spring of 2017. The stolen data includes usernames, email addresses and passwords. After the company found out about the data breach, they contracted third party cybersecurity experts to conduct a full analysis to determine how the hackers managed to access their system.

What data is at risk?

The breached Edmodo data includes IDs, usernames, email addresses and hashed and salted passwords. There are exactly 77,039,863 ID, username and email records – the whole database has 77,248,517 records meaning that we can make an assumption that the hash and salt fields have 208,654 records more.

Usernames

In this data breach, there are 504 records with empty username fields – these records do not have email addresses associated with them either, but they do have passwords. It could be that these accounts had those attributes, but were chosen to be deleted from the system, and instead of deleting entire rows, Edmodo simply chose to delete other data attributes leaving only IDs and passwords in the database. Perhaps it could have been a measure to log in the user by using Simple Sign On (SSO) – by using such a property a user could login with his user ID and a password to gain access to any of several related systems: as Edmodo is a cloud-based learning management application, that would make sense.

Here’s the letters that usernames begin with:

#	Letter that a username begins with	User count
1	a	4,922,727
2	b	2,096,025
3	c	3,110,247
4	d	2,527,984
5	e	1,865,287
6	f	1,185,165
7	g	1,424,801
8	h	1,345,874
9	i	1,056,430
10	j	3,964,428
11	k	2,457,254
12	l	2,365,989
13	m	4,455,507
14	n	1,694,399
15	o	494,123
16	p	1,475,123
17	q	191,028
18	r	2,140,257
19	s	3,949,875
20	t	1,945,199
21	u	253,171
22	v	845,521
23	w	760,843
24	x	276,044
25	y	729,145
26	z	510,445

We can see that:

• The most prevalent letter – a – has been used 4,922,727 times – that’s approximately 6.37% of Edmodo users;
• The letter a is followed by the letter m – the letter m has been used by approximately 5.77% of Edmodo users;
• The letter m is followed by the letter s – the letter s has been used by approxmately 5.11% of Edmodo users;
• The letter s is followed by the letter j – the letter j has been used by approximately 5.13% of Edmodo users;
• The letter j is followed by the letter c – the letter c has been used by approximately 4.03% of Edmodo users.

The five most prevalent letters combined consume a little above a quarter – approximately 26.41% of Edmodo’s user base.

Judging from the analysis, we can see that the least prevalent letter is q – the letter q has been used by approximately 0.25% of Edmodo users.

Here’s the numbers that usernames begin with:

Number that a username begins with	User count
0	517,760
1	1,442,167
2	835,546
3	439,890
4	347,110
5	303,248
6	229,003
7	240,434
8	220,547
9	278,843

We can see that the most prevalent number is 1 and the least prevalent number is 8 – the numbers have been used by 1.87% and 0.29% of Edmodo users respectively.

Email addresses

Here’s the top 100 most frequently used email domains by Edmodo users:

#	Email Domain	User count	Purpose / Country
1		33,044,473	None
2	gmail.com	15,806,574	Commercial / United States
3	hotmail.com	7,549,528	Commercial / United States
4	yahoo.com	6,087,578	Commercial / United States
5	aol.com	455,198	Commercial / United States
6	yahoo.co.id	416,907	Indonesia
7	outlook.com	398,350	Commercial / United States
8	live.com	354,372	Commercial / United States
9	ymail.com	347,700	Commercial / United States
10	icloud.com	283,111	Commercial / United States
11	hotmail.es	217,006	Spain
12	comcast.net	159,545	Network Infrastructure
13	hotmail.co.uk	154,569	United Kingdom
14	rocketmail.com	128,987	Commercial / United States
15	students.ocps.net	111,647	Network Infrastructure
16	charterschoolsusa.com	105,010	Commercial / United States
17	education.nsw.gov.au	101,821	Government
18	qq.com	94,113	Commercial / United States
19	ccpsnet.net	86,486	Network Infrastructure
20	yahoo.es	82,201	Spain
21	me.com	75,712	Commercial / United States
22	msn.com	75,643	Commercial / United States
23	live.com.mx	74,481	Mexico
24	outlook.es	70,691	Spain
25	att.net	69,316	Network Infrastructure
26	libero.it	68,869	Italy
27	sbcglobal.net	66,498	Network Infrastructure
28	mail.ru	63,589	Russia
29	HOTMAIL.COM	62,252	Commercial / United States
30	verizon.net	59,871	Network Infrastructure
31	hotmail.it	58,556	Italy
32	naver.com	58,078	Commercial / United States
33	GMAIL.COM	57,753	Commercial / United States
34	edmodo.com	54,696	Commercial / United States
35	email.com	50,426	Commercial / United States
36	det.nsw.edu.au	49,201	Education
37	bellsouth.net	48,169	Network Infrastructure
38	cps.edu	45,591	Education
39	Gmail.com	45,216	Commercial / United States
40	yahoo.co.uk	44,138	United Kingdom
41	facebook.com	43,879	Commercial / United States
42	gamil.com	43,853	Commercial / United States
43	yahoo.com.mx	43,161	Mexico
44	yahoo.com.ar	42,007	Argentina
45	hotmail.com.ar	41,620	Argentina
46	cox.net	41,348	Network Infrastructure
47	hotmail.fr	41,230	France
48	mail.com	39,805	Commercial / United States
49	yahoo.com.ph	37,512	The Philippines
50	k12.sd.us	36,330	Commercial / United States
51	aim.com	35,887	Commercial / United States
52	live.cvesd.org	32,078	Organization
53	live.co.uk	31,892	United Kingdom
54	yahoo.ca	31,633	Canada
55	student.gccisd.net	30,538	Network Infrastructure
56	YAHOO.COM	29,713	Commercial / United States
57	gmai.com	29,407	Commercial / United States
58	hotmail.ca	25,543	Canada
59	pgcps.org	25,477	Organization
60	cvusd.us	25,378	Commercial / United States
61	bigpond.com	24,727	Commercial / United States
62	yahoo.com.br	24,202	Brazil
63	hotmail.co.th	22,346	Thailand
64	live.com.ar	22,157	Argentina
65	yahoo.it	21,547	Italy
66	live.ca	21,369	Canada
67	live.it	20,323	Italy
68	alice.it	20,319	Italy
69	yahoo.com.sg	20,162	Singapore
70	yahoo.com.au	19,954	Australia
71	yahoo.fr	19,088	France
72	richland2.org	19,001	Organization
73	gmail.co	18,945	None, probably misspelled
74	charter.net	18,842	Network Infrastructure
75	s.dcsdk12.org	18,648	Organization
76	btinternet.com	18,368	Commercial / United States
77	163.com	17,876	Commercial / United States
78	googlemail.com	17,738	Commercial / United States
79	windowslive.com	17,725	Commercial / United States
80	live.com.au	17,706	Australia
81	sinadep.org.mx	17,229	Mexico
82	hotmai.com	16,772	Commercial / United States
83	edumail.vic.gov.au	16,616	Government
84	interact.ccsd.net	15,439	Network Infrastructure
85	Hotmail.com	15,261	Commercial / United States
86	yahoo.com.tw	15,007	Taiwan
87	yahoo.com.hk	14,548	Hong Kong
88	Yahoo.com	14,247	Commercial / United States
89	gmil.com	14,160	Commercial / United States
90	wcpss.net	13,899	Network Infrastructure
91	optonline.net	13,891	Network Infrastructure
92	dadeschools.net	13,809	Network Infrastructure
93	virgilio.it	13,650	Italy
94	rogers.com	13,640	Commercial / United States
95	gmail.con	13,425	None, probably misspelled
96	bluevalleyk12.net	13,273	Network Infrastructure
97	class.lps.org	13,004	Organization
98	gaggle.net	12,778	Network Infrastructure
99	ocps.net	12,722	Network Infrastructure
100	tiscali.it	12,399	Italy

If we would sum up the users with associated countries, we would see that:

• There were 32,545,063 users who registered from domains that were associated either with commercial things or the United States – they would consume approximately 42.39% of the entire user base;
• There were 416,907 users who registered from domains that were associated with Indonesia – they would consume approximately 0.54% of the entire user base;
• There were 369,898 users who registered from domains that were associated with Spain – they would consume approximately 0.48% of the entire user base;
• There were 230,599 users who registered from domains that were associated with the United Kingdom – they would consume approximately 0.30% of the entire user base;
• There were 215,663 users who registered from domains that were associated with Italy – they would consume approximately 0.28% of the entire user base;
• There were 105,784 users who registered from domains that were associated with Argentina – they would consume approximately 0.14% of the entire user base;
• There were 78,545 users who registered from domains that were associated with Canada – they would consume approximately 0.10% of the entire user base;
• There were 37,660 users who users who registered from domains that were associated with Australia – they would consume approximately 0.05% of the entire user base;
• There were 24,202 users who users who registered from domains that were associated with Brazil – they would consume approximately 0.03% of the entire user base;
• There were 22,346 users who users who registered from domains that were associated with Thailand – they would also consume approximately 0.03% of the entire user base.

We can take a look at email addresses that begin with letters:

#	The letter that an email address begins with	User count
1	a	4,177,039
2	b	1,617,909
3	c	2,440,735
4	d	2,158,671
5	e	1,508,873
6	f	1,022,878
7	g	1,190,749
8	h	1,004,437
9	i	813,638
10	j	3,034,518
11	k	1,807,369
12	l	2,053,627
13	m	3,716,961
14	n	1,448,014
15	o	407,113
16	p	1,278,578
17	q	90,056
18	r	1,898,765
19	s	3,051,807
20	t	1,544,602
21	u	137,093
22	v	675,295
23	w	580,737
24	x	130,296
25	y	585,655
26	z	335,051

We can see that:

• The most prevalent letter is a followed by the letter m;
• The letter m is followed by the letter s;
• The letter s is followed by the letter j;
• The letter j is followed by the letter c;
• The least prevalent letter is q.

We can also take a look at email addresses that begin with numbers:

The number that an email address begins with	User count
0	90,119
1	612,044
2	256,276
3	129,773
4	181,148
5	51,321
6	46,337
7	49,532
8	43,364
9	51,916

Here the most prevalent number is 1, the least prevalent number is 8.

Summary

The Edmodo data breach, while pretty worrying at first, was not that bad after all – even though more than 77 million people were put at risk, Edmodo had hashed their passwords with a very strong BCrypt password hashing algorithm and they also salted their customers’ passwords making bulk password cracking not worth the time for potential attackers.