Hacker database discovered with millions of account credentials from Facebook, Twitter, Yahoo

By on December 5, 2013, 7:30 AM
yahoo, facebook, twitter, gmail, hacking, stolen, passwords

Researchers at cyber security firm Trustwave recently discovered a hacker database that contains more than 2 million stolen passwords associated with a variety of popular services including Facebook, Gmail, Twitter and Yahoo. These services and more have been resetting account credentials since news of the theft started making the rounds.

Specifically, the collection contains login information for 318,121 Facebook accounts, 21,780 Twitter accounts, 54,437 Google-related accounts and 59,594 Yahoo accounts. There are also roughly 320,000 e-mail account credentials in the haul with the remaining accounts consisting of FTP logins and remote login information.

Fortunately for those in North America, there probably isn’t too much to worry about as the majority of individuals targeted were from the Germany, Indonesia, the Netherlands, Thailand and Singapore. More than 90 countries fell victim collectively although less than 2,000 accounts compromised were from the United States.

The software responsible for gathering credentials is known as the Pony Botnet controller. We are told that version 1.9 contains a powerful keylogger that is able to capture each keystroke as a user types on an infected machine.

Perhaps more disturbing than the theft itself is the fact that people are still using absurdly simple passwords to protect their online accounts. The investigation found that the most common passwords used were “123456,” “123456789,” “1234” and "password." Of course, a more secure password wouldn’t have helped in this case but still, a string of numbers in sequential order or the word “password” as your password is troublesome.




User Comments: 21

Got something to say? Post a comment
2 people like this | VitalyT VitalyT said:

It reads - hacker's database got hacked...

1 person liked this | Guest said:

"Perhaps more disturbing than the theft itself is the fact that people are still using absurdly simple passwords to protect their online accounts."

What else is new?

insect said:

There was some article on passwords I read that something like this (paraphrasing):

Corporations continue to make passwords more 'complex' by requesting numbers, special characters, combinations of upper and lower-case, non-dictionary words, etc. Computers are very good at running lots of combinations of anything... indefinitely. So passwords are getting easier and easier for computers to 'guess' and harder and harder for humans to remember. Humans write them down or choose the most simplistic of the requirements resulting in an even more insecure environment.

The best passwords are two-words that are random, but easy to remember (I.e., if you have a picture of your kid/spouse/whatever at your desk choose their shirt brand/type with your favorite feature - TommyHilger Eyes). Hard for humans and computers to guess because it's not worth the time for a bot to run the time required to find that (assuming the bot is programmed to even look for such things) but easy for you to remember.

1 person liked this | davislane1 davislane1 said:

This is why all of my passwords are highly secure numeric anagrams. For instance: 12345 becomes 54321. No one's brute forcing that.

Guest said:

As computers become more powerful, 15 digit character and numbers only passwords can be cracked in less than a week (brute force, less using Smart Brute Force). Yet I still run into financial companies that restrict passwords to numbers or characters and numbers between 8 and 10 characters in length. (Yes I'm talking about you Fidelity and PNC.)

We need to get to QR encoded visual password systems or something similarly large and tough to manually copy and hard to crack using brute force. Of course social engineering is the easiest way to crack a password.

Guest said:

It would help if the title either said "and others", or included gmail. As it is now, I read the title quickly and thought "I don't use any of the 3 services listed so I have nothing to worry about" and almost skipped the article. I do use gmail though...

Guest said:

"No one's brute forcing that."

I've seen plenty of brute force "password" database files (or just simple notepad files) that have a list of common passwords and their anagrams. It doesn't matter if it's words or numbers. The best thing to use is passphrases and then maybe some numbers. Like two or more word combos like one commenter mentioned above.

Guest said:

For remote connections to secure server we only use keys. Maybe a secure USB key that your browser recognizes with your encrypted passwords? If a user inserts the key into the computer, your browser or application recognizes your key and automatically allows you to login to secure websites that key is authenticated for?

1 person liked this | ikesmasher said:

"No one's brute forcing that."

I've seen plenty of brute force "password" database files (or just simple notepad files) that have a list of common passwords and their anagrams. It doesn't matter if it's words or numbers. The best thing to use is passphrases and then maybe some numbers. Like two or more word combos like one commenter mentioned above.

Sarcasm is a heck of a thing.

mattfrompa mattfrompa said:

As computers become more powerful, 15 digit character and numbers only passwords can be cracked in less than a week (brute force, less using Smart Brute Force). Yet I still run into financial companies that restrict passwords to numbers or characters and numbers between 8 and 10 characters in length. (Yes I'm talking about you Fidelity and PNC.)

We need to get to QR encoded visual password systems or something similarly large and tough to manually copy and hard to crack using brute force...

exactly https://www.grc.com/sqrl/sqrl.htm

Guest said:

This wouldn't make headlines if everyone had secured their accounts with multi-factor authentication.

Guest said:

Make it jail for life or death sentence and let's see how many hackers are left after that.

Guest said:

It doesn't really matter how secure your password is. Don't you know that facebook and google are already scanning your information and making it available to other businesses and government? They've basically already hacked your account and exploited you in ways we're only beginning to understand. Everyone should consider using privacy-based services such as Ravetree, DuckDuckGo, and HushMail.

cliffordcooley cliffordcooley, TechSpot Paladin, said:

"Perhaps more disturbing than the theft itself is the fact that people are still using absurdly simple passwords to protect their online accounts."

What else is new?

Which should imply there is nothing within the account worth hacking it for. I used a simple password (the same password for the last 15 years), but if the account was important enough, I would choose to use something more complex. I don't have anything to worry about, because I'm not a major target.

Guest said:

Facebook, Twitter & Yahoo are all free....

Who cares if someone can gain access to those accounts... they are throw away and pointless.

Gmail is free too... who cares what a hacker can do, or read..? Google is already one up, on these hackers, as their users have already given permission for Google to do what these hackers are trying to do. (Read & steal your info..)

tipstir tipstir, TS Ambassador, said:

Most are using the easy route but they don't realize what could happen with this script kiddies out there.

This is Password Length: 16

Password Example: w3lCR(?nS..vD94c

Safe level: High

tomkaten tomkaten said:

From howsecureismypassword:

"It would take a desktop PC about 412 trillion years to crack your password".

Still, I don't get what password complexity has to do with a topic about a botnet with a keylogger. Yeah, we all know the average man's password still sucks, but that's irrelevant here IMO.

Skandranonsg Skandranonsg said:

There was some article on passwords I read that something like this (paraphrasing):

Corporations continue to make passwords more 'complex' by requesting numbers, special characters, combinations of upper and lower-case, non-dictionary words, etc. Computers are very good at running lots of combinations of anything... indefinitely. So passwords are getting easier and easier for computers to 'guess' and harder and harder for humans to remember. Humans write them down or choose the most simplistic of the requirements resulting in an even more insecure environment.

The best passwords are two-words that are random, but easy to remember (I.e., if you have a picture of your kid/spouse/whatever at your desk choose their shirt brand/type with your favorite feature - TommyHilger Eyes). Hard for humans and computers to guess because it's not worth the time for a bot to run the time required to find that (assuming the bot is programmed to even look for such things) but easy for you to remember.

That is very very wrong. If you are against some ignorant skid that doesn't know what a dictionary attack is and is trying to brute-force passwords, then your method works. However, any hacker worth their salt (get it, salt?) will crack a two-word or even four-word password in a matter of hours.

The most secure method of obtaining a pseudo-random password that is easy to remember, but hard to guess is an anagram of a sentence. So "My aunt Sally was born on Friday, December 22nd." becomes "MaSwboF,D22." Now you have an 11 character password that is incredibly hard to guess, very easy to remember, and almost impossible to crack. And it contains two special characters, two numbers, two upper case, and two lower case.

Alpha Gamer Alpha Gamer said:

***********

best password ever

Guest said:

What's more disturbing is that you believe that a strong password can save your ass. All you have to do is learn someones weak reset credentials and you have defeated their strongest passwords.

Guest said:

Wow. People still think passwords work. After so many have pointed out that they are pointless when someone installed a keylogger on your computer. With that you are actually giving your password away. How about the dumb user with the secure password who falls for the your account has been compromised here is a link to change your password. You enter your password. How about this I tell you on my website that what you entered is wrong and you thinking you forgot your password keep trying to guess at it while giving me all your passwords you ever had. You keep trying not even thinking that it is a fake web site. Hahaha.

Load all comments...

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.