Hookers.nl breach: cracking 57% of the passwords in three days

Dutch website Hookers.nl — used by prostitutes, escorts and their customers — had been hacked. The site’s user database was stolen and is actively being traded in the underground, and sold for about 2 Euros. The dump contains data of — among others — employees of Dutch governmental intuitions like the department of defense, foreign affairs and law enforcement. Since data is now within virtually anyone’s reach, we expect scams to blackmail users soon.

Hookers.nl publicly stated that passwords were not stolen. Strictly speaking this is true: the database does not contain plain text passwords but hashed passwords. Scattered Secrets was able to crack 57% of the password hashes in three days. This is our story.

The weakness

The hack

The impact

Cracking password hashes — to retrieve the plain text password — can be interesting for attackers. Many people use (variants of) a single password for several services. If you can crack their Hookers.nl password, you might be able to breach their other accounts as well.

The good news is that cracking password hashes takes time and effort. The bad news is that cracking password hashes from a database dump is an offline process. This means that limitations of the online website — like waiting for a few minutes or solving a CAPTCHA after a defined number of unsuccessful logon attempts — do not apply. If the password hashes leaked to the outside world, there is no way to stop an offline password cracking attack.

The password hashes

First of all we need to know what password algorithm is used. The documentation tells us that vBulletin version 5 uses bcrypt by default. Cracking bcrypt hashes is a slow process: bcrypt is one of the best options for protecting passwords. However, vBulletin 5 was released in 2012 and according to their website, Hookers.nl is online since 2002. Using basic internet archaeology, it is not difficult to find out that Hookers.nl used vBulletin pre-5 versions in the past as well. These versions used easier to crack password hashes: salted MD5. Effectively this means that there are two types of password hashes: legacy (pre 2012) and bcrypt (2012 and later). The legacy hashes — typically users that have been inactive for some time — are significantly easier to crack than the bcrypt ones. The dataset we have received contains 292,853 user accounts: 241,547 (82.5%) legacy hashes and 49,324 (16.8%) bcrypt based hashes. The rest of the records do not contain valid email addresses and were discarded.

Secondly, we can work out what type of cracking approaches look promising. This is based on the effort required for specific password cracking techniques. Both legacy and recent versions of vBulletin use a mechanism called password salting. Cracking legacy vBulletin hashes is significantly faster than modern hashes, in this case 16,666,667:1 (~12.5G versus 750 attempts per second on an Nvida RTX 2080 Ti, bcrypt ‘work factor’ is 10). The significant difference means that it is way easier to crack legacy hashes. Practically it means that legacy passwords can be cracked using generic cracking hardware, and that cracking bcrypt hashes takes enormous amounts of computing power: about 16 million times more effort per hash. For the ~50k of Hookers.nl bcrypt hashes it would mean that trying all six position passwords already takes about 27 years (93⁶ / 750 / 86,400 / 365).

At Scattered Secrets we see a lot of breaches containing bcrypt hashes. To speed cracking up, we run a cluster of specialized bcrypt crackers. The crackers do not use the de facto standard Graphics Processing Units (‘GPU’, as used in gaming PCs) for cracking, but Field Programmable Gate Arrays (‘FPGA’, specialized hardware). This means that a single one of our servers matches or even beats the computing power of a full height server rack (180 cm / 6 feet high) filled with high-end conventional GPU based password crackers.

To attack the Hookers.nl hashes, we have used one cracker with generic computing power for the legacy accounts. One specialized cracker was used to crack the bcrypt hashes. The total time of the cracking session was three days.


The seemingly random passwords caught our attention, like #1: ‘vRbGQnS997’. The associated email addresses have the same destination with a different notation (e.g. a.ccount@gmail.com, ac.count@gmail.com, acc.ount@gmail.com, acco.unt@gmail.com, accou.nt@gmail.com, accoun.t@gmail.com etc.) or use <sequential number>@domain. We assume that the accounts were created using an automated process — password #1 is used 1,320 times — and were used for spam activities. Other possible explanations are more than welcome.

The other passwords match what we see in other datasets: all time favorites (‘123456’, ‘password’ etc.), cities, soccer clubs, cars and the name of and things related to the website. One thing that stands out: #6 versus #14, ‘querty’ versus ‘azerty’. It seems that a lot of Belgian and French visitors registered, since the AZERTY keyboard layout is mainly used in those two countries.

Not in the top 35 but worth mentioning:

  • Nearly a hundred users use a 10 digit password that matches the syntax of a Dutch cell phone number.
  • Cracked accounts include— among others — users from domains of Dutch governmental intuitions like the department of defense, foreign affairs and law enforcement.
  • Analysis of IP addresses shows that many of those users visit Hookers.nl from work.

Final words

data of various hacked vBulletin forums available for download

Blackmailing is possible without additional effort: expect blackmail scam demands soon. If this is the case for you personally: contact law enforcement and follow their instructions.

Over 80% of the Hookers.nl passwords are hashed using a legacy algorithm. Cracking legacy password hashes is within reach of everyone with a decent gaming PC. To crack a significant percentage of the modern hashes, specialized equipment is required.

If you are using (variants of) the same password for several services: update your passwords as soon as possible. To stay as safe as possible in the future: use long (≥12 positions) and unique passwords (completely unrelated) for all your accounts.

Scattered Secrets ♥ passwords ;) Don’t forget to check if your passwords are breached!

Find Your Hacked Passwords - Prevent Account Takeover.