How about a scare for the weekend? According to internet security firm Trustwave, more than 2 million passwords for social media sites including Facebook and Twitter, as well as passwords for Yahoo and Google, have been hacked and posted online.
Social Media Hacked
In a blog post on the company’s website, it states that a Botnet called Pony has managed to pull the information from thousands of computers all over the world and that some of the information it accessed included email addresses and their corresponding login details.
The post by Daniel Chechik and Anat (Fox) Davidi said that two Russian language social network websites were also hacked, which suggests that many of the victims are Russian speakers. The post adds:
Another interesting item on the list is the payroll service provider adp.com. It is only natural to have such domains in the mix, but it is surprising to see it ranked #9 on the top domains list. Facebook accounts are a nice catch for cyber criminals, but payroll services accounts could actually have direct financial repercussions."
While this is not the first time accounts have been hacked in this quaintly, Trustwave says they have so much information, they are able to break it down into the kind of accounts that were hacked. The breakdown is as follows:
- 580,000 website login credentials stolen
- 320,000 email account credentials stolen
- 41,000 FTP account credentials stolen
- 3,000 Remote Desktop credentials stolen
- 3,000 Secure Shell account credentials stolen
There is a lot of technically interesting information in the post, which is worth looking at, but one of the other interesting facts that emerged was on the strength of passwords in terms of security.
Clearly for enterprise users accessing data heavy applications this has huge implications. Looking at them, it is likely that many companies will need to review enterprise policies around this issue.
According to Trustwave, the top ten most commonly used passwords make up 2.4 percent of the accounts that were compromised. The most commonly used passwords, according to the data are as follows:
Representatives for Facebook and Twitter say that the passwords of the affected accounts have been reset, but that Google had declined to comment on the affair and Yahoo could not be contacted. The Trustwave blog adds:
In our analysis, passwords that use all four character types and are longer than eight characters are considered 'Excellent,' whereas passwords with four or less characters of only one type are considered 'Terrible.' Unfortunately, there were more terrible passwords than excellent ones, more bad passwords than good, and the majority, as usual, is somewhere in between in the Medium category."
Trustwave also carried out a comparison to a similar attack in 2006 and found that the most common passwords only made up 0.9 percent of all passwords, as opposed to the 2.4 percent now.
This is just the latest in a long list of security breaches over the years, with the most notable recent hack targeting Adobe and user account profiles where information on 2.9 million Adobe users, including credit card details, was harvested.
Earlier in the year, Voltage Security carried out research which it presented at the RSA conference in San Francisco. It found that 46% of employees were not prepared to lose a sale because of security protocols sale and bypassed them to access sensitive information to close a deal.
While this is not directly to the hacking of password and login data, bypassing security leaves holes that these kinds of attacks exploit.
Only this week, in a report from the Economist Intelligence Unit entitled “Information Risk: Managing digital assets in a new technology landscape” from The Economist Intelligence Unit, found that apart from hackers, the other really big threat to enterprises is employees themselves.
While this hack has yet again drawn attention to the problem of security for private users and enterprises, whether it prompts people to change their online habits remains to be seen, although there is little reason to think that it might, given what Trustwave’s analysis has shown.