Feeds

Two million TERRIBLE PASSWORDS stolen by malware attackers

Yahoo, Facebook accounts among haul in latest credential harvest

Internet Security Threat Report 2014

Researchers have uncovered a massive cache of stolen account credentials which could impact some two million users.

Security firm Trustwave said that its SpiderLabs reconnaissance team has detected a malware operation which has been able to pilfer account credentials on infected machines and build an archive of lifted passwords for services including Facebook, Yahoo and Google.

The attackers also harvested thousands of account credentials for remote desktop services, FTP connections and secure shells.

The attack, which appears to use a derivative of the Pony malware, appears to be largely concentrated on Russian-speaking sites and services, say researchers. While much of the command and control traffic was traced to the Netherlands, researchers noted that the operation likely uses proxies to hide the true location of its control systems.

The company did not report any widespread attacks on the sites themselves related to the password thefts.

While the malware itself is known and the infection can be prevented by installing and maintaining antivirus and security tools, Trustwave noted that the breach highlights a larger, and ongoing, security problem.

An analysis of the stolen credentials would suggest that in many cases, the malware operators would have been able to compromise many accounts simply by guessing. The Trustwave researchers noted that among the dumped passwords, low-security choices such as simple numeric sequences were by far still the most common choices.

Trustwave reports that for many of the stolen passwords, only one type of character was chosen and in many cases the passwords remained extremely short. Just 22 per cent of the observed passwords used a long, strong, and multiple character password classified as "good" or "excellent" by the company and 28 per cent were considered "bad" or "terrible" password choices.

The use of simple, easily-guessed passwords has long been a problem at nearly every level of IT from system admins to chief security officers and anti-malware vendors. Experts recommend that in addition to avoiding blatantly stupid choices such as "12345", users avoid dictionary words and pick log-ins that mix both cases and alphanumeric characters.

Unfortunately, says Trustwave, there is little indication that those efforts to educate users are gaining much traction. The company noted that when compared to a similar password dump analyzed in 2006, the collection suggests that users are in fact relying more on common passwords, with the top 10 most common accounting for 2.4 per cent of all of those harvested.

Even if you've not been infected, now would be a good time to seriously consider changing, strengthening, and diversifying your passwords. ®

Choosing a cloud hosting partner with confidence

More from The Register

next story
Regin: The super-spyware the security industry has been silent about
NSA fingered as likely source of complex malware family
Why did it take antivirus giants YEARS to drill into super-scary Regin? Symantec responds...
FYI this isn't just going to target Windows, Linux and OS X fans
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Home Office: Fancy flogging us some SECRET SPY GEAR?
If you do, tell NOBODY what it's for or how it works
HACKERS can DELETE SURVEILLANCE DVRS remotely – report
Hikvision devices wide open to hacking, claim securobods
'Regin': The 'New Stuxnet' spook-grade SOFTWARE WEAPON described
'A degree of technical competence rarely seen'
Syrian Electronic Army in news site 'hack' POP-UP MAYHEM
Gigya redirect exploit blamed for pop-rageous ploy
Astro-boffins start opening universe simulation data
Got a supercomputer? Want to simulate a universe? Here you go
prev story

Whitepapers

10 ways wire data helps conquer IT complexity
IT teams can automatically detect problems across the IT environment, spot data theft, select unique pieces of transaction payloads to send to a data source, and more.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
The total economic impact of Druva inSync
Examining the ROI enterprises may realize by implementing inSync, as they look to improve backup and recovery of endpoint data in a cost-effective manner.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.