Now might be a good time to change all your passwords, as the BBC reported today that passwords for more than two million accounts belonging to users of popular email and social networking services Facebook, Gmail, Yahoo and Twitter (plus Russian websites VKontakte and Odnoklassniki) were discovered posted for all to see on a Russian website.
- 1,580,000 website login credentials stolen
- 320,000 email account credentials stolen
- 41,000 FTP account credentials stolen
- 3,000 Remote Desktop credentials stolen
- 3,000 Secure Shell account credentials stolen
It is not known how current these passwords are or for how long they have been collected, but as Trustwave researcher Graham Cluley observed,
‘We don’t know how many of these details still work, but we know that 30-40% of people use the same passwords on different websites. That’s certainly something people shouldn’t do.”
Interestingly, if depressingly predictably, the passwords used were typically very insecure, with 123456 being the most popular.
Only 23% of passwords were rated as Good or Excellent, and 33% were rated as Bad or Terrible. Commenting on such poor choice of passwords, Mr Cluley said ‘It’s as much use as a chocolate teapot… absolutely useless.’
That websites vk.com and odnoklassniki.ru were on the list ‘probably indicates that a decent portion of the victims comprised were Russian speakers’, but unfortunately because the Pony botnet used a reverse proxy to avoid detection, ‘it does prevent us from learning more about the targeted countries in this attack, if there were any’.
Facebook and Twitter have announced that all discovered passwords have been reset, while Google pointed to this blog post, which recommends using 2-step authentication on Gmail accounts. Facebook also advised users to protect themselves against this form attack by turning on Login Approvals and Login Notifications in their security settings.