December 5, 2013
Researchers at Trustwave, a cybersecurity firm, recently detected a huge data breach through which hackers stole usernames and passwords for almost two million accounts.
In a blog post reporting details of the hack, Trustwave charted the domains from which information was stolen. Among the top 10 domains were Facebook, Yahoo, Twitter, Google, LinkedIn, and ADP. Over half of stolen passwords came from Facebook, and about 8,000 came from ADP, a payroll service provider. The blog noted that "Facebook accounts are a nice catch for cyber criminals, but payroll services accounts could actually have direct financial repercussions."
John Miller, a security research manager at Trustwave, told CNN Money that he's most concerned with the ADP hack, as payroll personnel use the service to manage employee paychecks. Hackers could view any information on there until passwords are reset. "They might be able to cut checks, modify people's payments," Miller said. ADP mentioned in a statement that "[t]o [its] knowledge, none of ADP's clients has been adversely affected by the compromised credentials."
The raw numbers of stolen credentials include (approximately) 1.58 million website logins, 320,000 email accounts, 41,000 FTP accounts, 3,000 remote desktop logins, and 3,000 Secure Shell accounts, as stated in the blog. Miller told CNN Money that "[w]e don't have evidence they logged into these accounts, but they probably did."
As noted in USA Today, over 100 countries were affected, making the attack a global one. Most compromised accounts, however, were from the Netherlands. Thailand, Germany, Singapore, Indonesia, and the United States were also all significantly impacted. The U.S. accounted for 859 "Reports from Machines" and 1,943 "Passwords Hacked."
CNN Money reported that the hacking campaign began collecting passwords on October 21 and may be ongoing. Miller stated that while Trustwave has uncovered one proxy server in the Netherlands, other similar servers have yet to be found.
According to Miller, the team on the case does not know how the virus was installed on so many personal computers. Moreover, the hackers' method of using a keylogging software to gather information through a proxy server makes it impossible to identify which computers are infected. However, individuals can find out if their computers were hacked by updating their antivirus software and downloading the latest patches for web browsers, Java, and Adobe. Because the virus is hidden and running in the background, simply searching programs and files will not be enough to detect it.
Another piece of advice that individuals may want to follow is to be more careful when setting their passwords. Trustwave analyzed the complexity and strength of the two million credentials stolen. The 10 most-commonly used passwords were, as the blog stated, "far from what your CISO would like to see." Examples include "123456," which came out on top of the list, "123," "admin," "password," "1234," and "123456789." When analyzing password complexity, Trustwave set the standard of an "Excellent" password using all four character types and more than 8 characters, while a "Terrible" password uses only one character type and four or fewer characters. The company found that most passwords were either "Medium" (44 percent) or "Bad" (28 percent), and more passwords were "Terrible" (6 percent) than "Excellent" (5 percent). Additionally, most compromised passwords included either one type of character or two (e.g., "1234" and "abc123").
Trustwave compared password strength of credentials in the recent breach to those in a 2006 MySpace data breach. In 2006, 1.9 percent of passwords included five or fewer characters, compared to 6.6 percent today -- more than triple the original figure. Additionally, in 2006, the ten most common passwords accounted for only 0.9 percent of the total, compared to 2.4 percent today. This could, however, be a result of MySpace's minimum complexity policy for passwords. On the other hand, it does seem like more people are willing to put in the extra effort for password length. In 2006, only 17 percent of comprised accounts had a password with 10 or more characters. Today, that number is 46 percent.
Reflecting on the above data, Trustwave hypothesized that individuals continue to choose comfort over security. Without an enforced password policy, users are unlikely to put enough of an emphasis on password complexity.
Compiled by Aneesha Jhingan
"2 million Facebook, Gmail and Twitter passwords stolen in massive hack," money.cnn.com, December 4, 2013, Jose Pagliery, http://money.cnn.com/2013/12/04/technology/security/passwords-stolen/
"Look What I Found: Moar Pony!," blog.spiderlabs.com, December 3, 2013, Daniel Chechik, http://blog.spiderlabs.com/2013/12/look-what-i-found-moar-pony.html
"Mass hack affects almost 2 million Internet accounts," usatoday.com, December 5, 2013, Melanie Eversley, http://www.usatoday.com/story/news/nation/2013/12/04/internet-hack-web-cybersecurity/3875333/