Site   Web

December 5, 2013

Hackers Steal 2M User IDs, Passwords — Posts Them Online

Image courtesy of (chanpipat)/

The usernames and passwords of roughly two million Facebook, Twitter, LinkedIn, Google and Yahoo users have been stolen and posted online by hackers, an online security firm has discovered.

SpiderLabs researchers came across the data while looking into a server in the Netherlands used by hackers to control what is known as the Pony botnet. The botnet is comprised of a large network of computers that have been compromised by the hackers.

The stolen information includes:

SpiderLabs image

SpiderLabs image

1,580,000 website login credentials stolen.

• 320,000 e-mail account credentials stolen.

• 41,000 FTP account credentials stolen.

• 3,000 Remote Desktop credentials stolen.

• 3,000 Secure Shell account credentials stolen.

From the 1.58 million compromised login credentials, more than 326,000 are from Facebook accounts, 60,000-plus are from Google accounts, more than 59,000 are from Yahoo accounts, about 22,000 are from Twitter accounts and nearly 8,500 are from LinkedIn accounts, according to SpiderLabs.

Account holders in the United States, the Netherlands, Germany, Indonesia, Singapore, Thailand and a handful of other countries were hit.

According to Reuters, Facebook and Twitter spokespeople said the social networks have reset the passwords of all users who were hacked. A Google spokeswoman declined to comment on the issue, while Yahoo was unavailable for comment.

SpiderLabs, which did an analysis of the stolen data, found many of the confiscated passwords were weak.

The top 10 passwords to appear on the list were:

SpiderLabs image

SpiderLabs image

• 123456

• 123456789

• 1234

• password

• 12345

• 12345678

• 123

• 1

• 1234567

• 111111

“And it all goes downhill from there,” SpiderLabs’ Daniel Chechik and Anat (Fox) Davidi wrote in a blog post. “We looked at the length and complexity of the passwords to get a better idea about the rest of the passwords” and found many of them used only one type of character.

Experts always encourage Internet users to use multiple characters: uppercase letters, lowercase letters, numbers and special characters.

“We also divided all the passwords into groups by password lengths,” they wrote. “Since both the length and type of characters in a password make up its ultimate complexity, we grouped those two characteristics to get an overall impression of how strong the passwords are.”

SpiderLabs image

SpiderLabs image

To determine how good the passwords were, the researchers broke them down into five categories from excellent — passwords that use all four character types and are longer than eight characters — to terrible — passwords with four or less characters of only one type.

Here is the breakdown:

• Excellent — Five percent

• Good — 17 percent

• Medium — 44 percent

• Bad — 28 percent

• Terrible — six percent

“Back in 2006 the top ten most common passwords comprised only 0.9 percent of the total count,” they said. “Today, in 2013, they add up to 2.4 percent. This could be a result of myspace having a minimum complexity policy, while in our data we have various domains with differing password complexity requirements. If our hypothesis is true, then the inevitable conclusion is that people still choose comfort over security.  If you don’t enforce a password policy, don’t expect your users to do it for you.”


Jennifer Cowan is the Managing Editor for SiteProNews.