Hacker database discovered with millions of account credentials from Facebook, Twitter, Yahoo

Shawn Knight

Shawn Knight

Posts: 15,305   +193
Staff member

pony facebook twitter gmail hacking stolen passwords

Researchers at cyber security firm Trustwave recently discovered a hacker database that contains more than 2 million stolen passwords associated with a variety of popular services including Facebook, Gmail, Twitter and Yahoo. These services and more have been resetting account credentials since news of the theft started making the rounds.

Specifically, the collection contains login information for 318,121 Facebook accounts, 21,780 Twitter accounts, 54,437 Google-related accounts and 59,594 Yahoo accounts. There are also roughly 320,000 e-mail account credentials in the haul with the remaining accounts consisting of FTP logins and remote login information.

Fortunately for those in North America, there probably isn’t too much to worry about as the majority of individuals targeted were from the Germany, Indonesia, the Netherlands, Thailand and Singapore. More than 90 countries fell victim collectively although less than 2,000 accounts compromised were from the United States.

The software responsible for gathering credentials is known as the Pony Botnet controller. We are told that version 1.9 contains a powerful keylogger that is able to capture each keystroke as a user types on an infected machine.

Perhaps more disturbing than the theft itself is the fact that people are still using absurdly simple passwords to protect their online accounts. The investigation found that the most common passwords used were “123456,” “123456789,” “1234” and "password." Of course, a more secure password wouldn’t have helped in this case but still, a string of numbers in sequential order or the word “password” as your password is troublesome.

Permalink to story.

https://www.techspot.com/news/54909-hacker-database-discovered-with-millions-of-account-credentials-from-facebook-twitter-yahoo.html

 
"Perhaps more disturbing than the theft itself is the fact that people are still using absurdly simple passwords to protect their online accounts."

What else is new?
 
  • Like
Reactions: wastedkill
There was some article on passwords I read that something like this (paraphrasing):
Corporations continue to make passwords more 'complex' by requesting numbers, special characters, combinations of upper and lower-case, non-dictionary words, etc. Computers are very good at running lots of combinations of anything... indefinitely. So passwords are getting easier and easier for computers to 'guess' and harder and harder for humans to remember. Humans write them down or choose the most simplistic of the requirements resulting in an even more insecure environment.

The best passwords are two-words that are random, but easy to remember (I.e., if you have a picture of your kid/spouse/whatever at your desk choose their shirt brand/type with your favorite feature - TommyHilger Eyes). Hard for humans and computers to guess because it's not worth the time for a bot to run the time required to find that (assuming the bot is programmed to even look for such things) but easy for you to remember.
 
This is why all of my passwords are highly secure numeric anagrams. For instance: 12345 becomes 54321. No one's brute forcing that.
 
  • Like
Reactions: oldikes
As computers become more powerful, 15 digit character and numbers only passwords can be cracked in less than a week (brute force, less using Smart Brute Force). Yet I still run into financial companies that restrict passwords to numbers or characters and numbers between 8 and 10 characters in length. (Yes I'm talking about you Fidelity and PNC.)

We need to get to QR encoded visual password systems or something similarly large and tough to manually copy and hard to crack using brute force. Of course social engineering is the easiest way to crack a password.
 
It would help if the title either said "and others", or included gmail. As it is now, I read the title quickly and thought "I don't use any of the 3 services listed so I have nothing to worry about" and almost skipped the article. I do use gmail though...
 
"No one's brute forcing that."

I've seen plenty of brute force "password" database files (or just simple notepad files) that have a list of common passwords and their anagrams. It doesn't matter if it's words or numbers. The best thing to use is passphrases and then maybe some numbers. Like two or more word combos like one commenter mentioned above.
 
For remote connections to secure server we only use keys. Maybe a secure USB key that your browser recognizes with your encrypted passwords? If a user inserts the key into the computer, your browser or application recognizes your key and automatically allows you to login to secure websites that key is authenticated for?
 
Guest said:
"No one's brute forcing that."

I've seen plenty of brute force "password" database files (or just simple notepad files) that have a list of common passwords and their anagrams. It doesn't matter if it's words or numbers. The best thing to use is passphrases and then maybe some numbers. Like two or more word combos like one commenter mentioned above.
Click to expand...
Sarcasm is a heck of a thing.
 
  • Like
Reactions: davislane1
Guest said:
As computers become more powerful, 15 digit character and numbers only passwords can be cracked in less than a week (brute force, less using Smart Brute Force). Yet I still run into financial companies that restrict passwords to numbers or characters and numbers between 8 and 10 characters in length. (Yes I'm talking about you Fidelity and PNC.)

We need to get to QR encoded visual password systems or something similarly large and tough to manually copy and hard to crack using brute force...
Click to expand...
exactly https://www.grc.com/sqrl/sqrl.htm
 
This wouldn't make headlines if everyone had secured their accounts with multi-factor authentication.
 
Make it jail for life or death sentence and let's see how many hackers are left after that.
 
It doesn't really matter how secure your password is. Don't you know that facebook and google are already scanning your information and making it available to other businesses and government? They've basically already hacked your account and exploited you in ways we're only beginning to understand. Everyone should consider using privacy-based services such as Ravetree, DuckDuckGo, and HushMail.
 
Guest said:
"Perhaps more disturbing than the theft itself is the fact that people are still using absurdly simple passwords to protect their online accounts."

What else is new?
Click to expand...
Which should imply there is nothing within the account worth hacking it for. I used a simple password (the same password for the last 15 years), but if the account was important enough, I would choose to use something more complex. I don't have anything to worry about, because I'm not a major target.
 
Facebook, Twitter & Yahoo are all free....

Who cares if someone can gain access to those accounts... they are throw away and pointless.



Gmail is free too... who cares what a hacker can do, or read..? Google is already one up, on these hackers, as their users have already given permission for Google to do what these hackers are trying to do. (Read & steal your info..)
 
Most are using the easy route but they don't realize what could happen with this script kiddies out there.

This is Password Length: 16
Password Example: w3lCR(?nS..vD94c
Safe level: High
 
From howsecureismypassword:

"It would take a desktop PC about 412 trillion years to crack your password". :)

Still, I don't get what password complexity has to do with a topic about a botnet with a keylogger. Yeah, we all know the average man's password still sucks, but that's irrelevant here IMO.
 
insect said:
There was some article on passwords I read that something like this (paraphrasing):
Corporations continue to make passwords more 'complex' by requesting numbers, special characters, combinations of upper and lower-case, non-dictionary words, etc. Computers are very good at running lots of combinations of anything... indefinitely. So passwords are getting easier and easier for computers to 'guess' and harder and harder for humans to remember. Humans write them down or choose the most simplistic of the requirements resulting in an even more insecure environment.

The best passwords are two-words that are random, but easy to remember (I.e., if you have a picture of your kid/spouse/whatever at your desk choose their shirt brand/type with your favorite feature - TommyHilger Eyes). Hard for humans and computers to guess because it's not worth the time for a bot to run the time required to find that (assuming the bot is programmed to even look for such things) but easy for you to remember.
Click to expand...

That is very very wrong. If you are against some ignorant skid that doesn't know what a dictionary attack is and is trying to brute-force passwords, then your method works. However, any hacker worth their salt (get it, salt?) will crack a two-word or even four-word password in a matter of hours.

The most secure method of obtaining a pseudo-random password that is easy to remember, but hard to guess is an anagram of a sentence. So "My aunt Sally was born on Friday, December 22nd." becomes "MaSwboF,D22." Now you have an 11 character password that is incredibly hard to guess, very easy to remember, and almost impossible to crack. And it contains two special characters, two numbers, two upper case, and two lower case.
 
What's more disturbing is that you believe that a strong password can save your ***. All you have to do is learn someones weak reset credentials and you have defeated their strongest passwords.
 
Wow. People still think passwords work. After so many have pointed out that they are pointless when someone installed a keylogger on your computer. With that you are actually giving your password away. How about the dumb user with the secure password who falls for the your account has been compromised here is a link to change your password. You enter your password. How about this I tell you on my website that what you entered is wrong and you thinking you forgot your password keep trying to guess at it while giving me all your passwords you ever had. You keep trying not even thinking that it is a fake web site. Hahaha.
 
You must log in or register to reply here.

Similar threads

midian182
Massive leak exposes 26 billion records in mother of all breaches
Replies
11
Views
381
RudyBob
RudyBob
Cal Jeffrey
Microsoft left a server containing employee credentials exposed to the internet for a month
Replies
3
Views
142
plambert2015
P
midian182
Massive data dump containing millions of passwords sparks security alert: Is your data...
Replies
8
Views
308
p51d007
p51d007

Latest posts

Back