Hackers Steal 2 Million Usernames & Passwords from Social Networking Sites including Google, Facebook, Twitter and LinkedIn

This is a whale of a heist. All the social network stalwarts have been outsmarted by hackers. Security experts at Trustwaves SpiderLabs have discovered a trove of 2 million hacked social network user account credentials – usernames and passwords – during the investigation of a server in the Netherlands that cyber criminals use to control a massive network of hacked computers known as the ‘Pony botnet.’

 

Experts say this massive data breach was a result of key-logging software maliciously installed on numerous number of computers across the globe. The victims were majorly from the U.S., Germany, Singapore, Thailand, and the Netherlands.

 

Hack Analysis By The Numbers

Hack.png

What Was Stolen?

  • ~1,580,000 website login credentials stolen
  • ~320,000 email account credentials stolen
  • ~41,000 FTP account credentials stolen
  • ~3,000 Remote Desktop credentials stolen
  • ~3,000 Secure Shell account credentials stolen

  

From Where?

  • 318,000 Facebook accounts
  • 70,000 Gmail, Google+ and YouTube accounts
  • 60,000 Yahoo accounts
  • 22,000 Twitter accounts
  • 9,000 Odnoklassniki accounts (a Russian social network)
  • 2,400 to 8,000 ADP accounts
  • 8,000 LinkedIn accounts

  

Compromised Passwords: Chart Toppers

A SpiderLabs blog showed that the most-common password in the set was ‘123456,’ which was used in nearly 16,000 accounts. Other commonly used credentials included ‘password,’ ‘admin,’ ‘123’ and ‘1.’

 

Compromised Passwords

Hits

123456

15,820

123456789

4,875

1234

3,135

password

2,212

12345

2,094

12345678

2,045

admin

1,991

123

1,453

1

1,224

1234567

1,170

111111

1,046

 

Some Password Protection & Security Tips [1]

  • Use mix of capital and lowercase letters and make passwords at least 8 characters long
  • Use combination of letters, numbers and symbols like exclamation mark
  • Do not use words found in the dictionary
  • Avoid easy-to-guess words, even if they aren’t in the dictionary
  • Do not use your name, company name or hometown, pets and relatives' names
  • Stay away from birthday dates and zip codes that can be looked up
  • Use http://howsecureismypassword.net/ to get a sense of how strong is your password
  • Always log out of a site when you’re finished with it

 

Especially for enterprises and organizations that deal with secure data, it’s wise to invest in security solutions that monitor your entire IT landscape and provide real-time security intelligence.

  

Even Dilbert Can Guess Your Password!

1626.strip.gif