Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Massive Phishing Campaign Hits Multiple Email Services

Soulskill posted more than 4 years ago | from the nowhere-to-run-to-baby dept.

Security 183

nandemoari writes "It seems as if the massive phishing campaign reported yesterday was not specific to Hotmail, as was initially believed. According to a report by the BBC, many Gmail and Yahoo Mail accounts have also been compromised. Earthlink, Comcast, and AOL were also affected. While the source of the latest attacks has not been determined, many are pointing to the same bug that claimed at least 10,000 passwords from Microsoft Windows Live Hotmail. Microsoft has done their part in blocking all known hijacked Hotmail accounts and created tools to help users who had lost control of their email. An analysis of the data from Hotmail showed the most common password among the compromised accounts to be '12345.' On their end, Google responded to the attacks by forcing password resets on the affected accounts."

cancel ×

183 comments

Sorry! There are no comments related to the filter you selected.

Wow! (5, Funny)

Anonymous Coward | more than 4 years ago | (#29671613)

An analysis of the data from Hotmail showed the most common password among the compromised accounts to be '12345.'

That's amazing. I've got the same combination on my luggage.

Re:Wow! (1, Insightful)

Yvan256 (722131) | more than 4 years ago | (#29671659)

You destroyed the joke thread by starting at the end.

You should have started with "1-2-3-4-5? That's the stupidest combination I've ever heard of in my life! That's the kinda thing an idiot would have on his luggage!"

Remind me (4, Funny)

Dareth (47614) | more than 4 years ago | (#29671801)

"Remind me to change the password on my luggage!"

Re:Wow! (3, Insightful)

jpmorgan (517966) | more than 4 years ago | (#29672597)

I'm sure most /.ers actually filled that part in mentally when they read the summary.

Re:Wow! (2, Funny)

Havokmon (89874) | more than 4 years ago | (#29672671)

So he top posted. How appropriate.

Re:Wow! (3, Insightful)

Anonymous Coward | more than 4 years ago | (#29671809)

lol

But seriously, what kind of chickenshit mail server policy even allows that password in the first place?

OH... hotmail.. enough said...

Re:Wow! (1)

conureman (748753) | more than 4 years ago | (#29672015)

There not being a whole lot to lose (or any porn that would get me in trouble ;), if my shit gets compromised, I use the same password on everything. (eight letter word, YMMV) Of course, I'm not afraid to format the HDD and re-install the OS when my foolishness catches up with me, and I DO protect my router,as well. The only thing I worry about is if my node became a SPAMBot, but I check my traffic periodically to avoid that.(Ain't happened yet, but I've had to fix my friend's boxes a few times). I do have one account that's protected by nine letters and a numeral, but that would be easy to guess as well if one knew my attitude toward complying with security policy. OTOH 12345 is a tad egregious as a password, even by my lax standards.

Re:Wow! (1)

tomhudson (43916) | more than 4 years ago | (#29672195)

My question is "why are they storing email passwords in plaintext"?

Of course, they're probably not, just comparing the hash values of $usr_pw" and "12345", but that is also the most common password on voice email boxes.

One guy up here was convicted - TWICE - for "hacking" into police detectives' voicemail by just randomly dialing extensions, and entering "12345". You'd think after the first conviction, the cops would, you knw, CHANGE THEIR FRIGGING PASSWORDS. Even 38258 (FUCK U) would have been better.

On a side note, try dialing numbers like 1-800-FUCK-OFF. Last time we checked (party, late at night) they were assigned.

Re:Wow! (1)

netsharc (195805) | more than 4 years ago | (#29672663)

The passwords are in plain text because the script kiddies phished them, and that's the list that got leaked.

Re:Wow! (2, Funny)

Anonymous Coward | more than 4 years ago | (#29671917)

Saved by 123456!

Take that haxor!

Re:Wow! (1)

zelator29 (994414) | more than 4 years ago | (#29672229)

Hmm I wonder if people used 3039, which is 12345 in hexadecimal...

Re:Wow! (1)

Mister Whirly (964219) | more than 4 years ago | (#29672505)

No, real geeks use 11000000111001 (12345 in binary for you non-geeks)



There are 10 types of people in this world - people who use this lame joke, and people who don't.

Re:Wow! (0)

Anonymous Coward | more than 4 years ago | (#29672585)

The analysis sounds fishy to me, they say the shortest password is a single character. I don't know an e-mail provider that accepts less than 6 characters.

Heh (-1, Offtopic)

MyLongNickName (822545) | more than 4 years ago | (#29671615)

I always new that Gmail users were not to bright. If you want to respond, please carbon me at MyLongNickName@gmail.com. Thanks.

Re:Heh (0)

Anonymous Coward | more than 4 years ago | (#29671683)

It's actually spelled "knew."

Re:Heh (1)

clone53421 (1310749) | more than 4 years ago | (#29671921)

You caught "knew" but missed "too" and "it's really fucking stupid to post your e-mail address in the clear".

In other words, whoosh.

Re:Heh (1)

trapnest (1608791) | more than 4 years ago | (#29672659)

"it's really fucking stupid to post your e-mail address in the clear".

janusofzeal@gmail.com

Re:Heh (0)

Anonymous Coward | more than 4 years ago | (#29671825)

*too

HA! My password is 123456 (4, Funny)

objekt (232270) | more than 4 years ago | (#29671633)

With an extra digit for security! ;-)

I have a real programmer's password (4, Funny)

Biff Stu (654099) | more than 4 years ago | (#29671667)

012345

Preaching to the church (2, Insightful)

HNS-I (1119771) | more than 4 years ago | (#29671859)

I know I'm preaching to the church but a good way to make a password is to make up a sentence and take each first letter, convert some to capitals and numbers and you will never ever forget it.

It is like a walk in the park. iilawitp iiLawitp iiL4wi7p voila!

Re:Preaching to the church (4, Interesting)

TheRaven64 (641858) | more than 4 years ago | (#29672021)

For your example, you might consider using a park that has some significance to you and capitalise the proper nouns, and numbers that actually make sense, to get something that is easier to remember. For example:

'Ten minutes to Central Park, and eat pretzels' becomes 10mtCP,&ep, which is trivial to remember for you (well, it is if you live ten minutes from Central Park and like pretzels). Keeping the punctuation in doesn't make it any harder to remember but adds another non-alphnumeric character. And, yes, for punctuation nazis there, I realise the comma in that example is superfluous. This short sentence, which anyone can remember, turns in to a ten symbol password, containing letters (upper and lowercase) and punctuation, which is incredibly difficult to brute force.

Re:Preaching to the church (4, Informative)

clone53421 (1310749) | more than 4 years ago | (#29672085)

And, yes, for punctuation nazis there, I realise the comma in that example is superfluous. This short sentence, which anyone can remember,

Real grammar nazis also know that it wasn't a sentence.

Re:Preaching to the church (2, Funny)

Anonymous Coward | more than 4 years ago | (#29672231)

Real grammar nazis also know that it wasn't a sentence.

I love you. Will you marry an anonymous coward?

Re:Preaching to the church (2, Funny)

clone53421 (1310749) | more than 4 years ago | (#29672285)

Your Relationship with Anonymous Coward (666)
Sorry, this is not an option.

Doesn't look like it [slashdot.org] . Sorry.

Re:Preaching to the church (1)

Romancer (19668) | more than 4 years ago | (#29672109)

This is all well and good until you happen upon a website, network, or system that hasn't thought to allow all special characters in the password field. This is the other side of password theory that admins don't get. If you want really secure passwords, don't limit what they can be made of. Some don't allow or keep uppercase, some don't allow non alphanumeric characters. So your password must be slightly different than you would make by default and therefore remember on the first try after a while not using it.

This is sometimes in the software they use and not even a setting. There have been many examples but I think that one of the best was a website that had a hyphen in the name but did not allow hyphens in the url of an account "website" field when setting it up. They didn't think that anybody would have it, but they themselves did.

No standards are so good that they are not to be followed by those with them in place.

Re:Preaching to the church (2, Interesting)

TheRaven64 (641858) | more than 4 years ago | (#29672361)

With the Psion Series 3, you could enter characters by their ASCII code (no unicode, this was 1993) by holding down a modifier. I thought this would be great for a password; no one would ever guess that they had to hold down a modifier while entering some digits in the middle of the password. It turned out that the password entry box in the settings pane did, indeed, allow this kind of thing. Unfortunately, the first time I locked the device afterwards, I discovered that the password entry box for unlocking did not. That said, I haven't come across anything for a long time that didn't allow upper and lower case and numeric fields (although some discarded the case information). A few don't allow non-alphanumerics, but it's easy to just omit them from the passwords for those sites.

Re:Preaching to the church (0)

Anonymous Coward | more than 4 years ago | (#29672693)

On the Apple II (yes, I'm old...) you could hold down the control key while typing the alphabet. This would enter the ASCII codes 1-26, corresponding to each lettter. This was legal in filenames, so you could easily protect a file by calling it GO[CTRL-D]AWAY, for example. There were ways that you could get the hidden letters displayed, but it wasn't exactly common knowledge.

The only downside was that CTRL-G = ASCII 7 = beep! so if you used that letter the noise when you displayed a directory would give a hint. Of course, some people used this for the annoyance factor, too.

Re:Preaching to the church (1)

ender- (42944) | more than 4 years ago | (#29672545)

For some of my passwords I do something similar. I take a line from a song I like and use the first letters of that to create a password. Like one old one I used to use was from a Collin Raye song:

"What if Jesus comes back like that?"

Which became: "WiJcblt?"

Pick a song you like or will remember, and it's almost impossible to forget your password. /Yes I like that song //and yet I'm agnostic ///go figure

Re:Preaching to the church (1)

Jaguar777 (189036) | more than 4 years ago | (#29672115)

If this becomes standard practice I predict the new common password will be "The quick brown fox jumps over the lazy dog".

Re:Preaching to the church (1)

neurovish (315867) | more than 4 years ago | (#29672779)

I know I'm preaching to the church but a good way to make a password is to make up a sentence and take each first letter, convert some to capitals and numbers and you will never ever forget it.

It is like a walk in the park. iilawitp iiLawitp iiL4wi7p voila!

...or you could just use "It is like a walk in the park." and have something that couldn't be bruteforced in a few hours.

Re:Preaching to the church (0)

Anonymous Coward | more than 4 years ago | (#29672819)

Or just use the sentence or phrase. It's a lot easier, and even more secure.

No password generator is going to guess:

"At every turn"
"Don't be afraid"
"It's one in a million"

On the other hand, given enough time, a password generator will guess iiL4wi7p (maybe not as likely at 8 characters long, but the idea is still true as we move further into the future).

The dumbest thing is when sites restrict character usage within their password requirements. It is stupid to limit characters, and only aids in making passwords simpler to crack (smaller range of passwords possible) and harder for people accustomed to using those characters (spaces, in my case) from coming up with good passwords.

Re:I have a real programmer's password (0)

Anonymous Coward | more than 4 years ago | (#29671877)

11000000111001

Re:I have a real programmer's password (0)

Anonymous Coward | more than 4 years ago | (#29671959)

3,I4lSgZG53S8g79EZ38AbZb4E38

Re:I have a real programmer's password (2, Funny)

93 Escort Wagon (326346) | more than 4 years ago | (#29672535)

012345

That's why Microsoft thought "12345" was a reasonably secure password - they figured most hacking and phishing attacks would be coming from Linux or BSD boxes, so those people would never think of starting to count with a "1".

Re:I have a real programmer's password (1)

DarthVain (724186) | more than 4 years ago | (#29672847)

Don't you mean: 11000000111001 or 3039

Re:HA! My password is 123456 (2, Interesting)

crunch_ca (972937) | more than 4 years ago | (#29672121)

From the FA, the longest password hacked was: "lafaroleratropezoooooooooooooo" (30 characters).

This was a phishing attack. The strength of the password didn't matter.

The article talks about analysis of password data and doesn't really point out anything we didn't know already.

Re:HA! My password is 123456 (4, Funny)

ballpoint (192660) | more than 4 years ago | (#29672175)

Mine is 123455. I have appended a checksum digit to make sure I don't enter a wrong password by mistake.

12345? (2, Funny)

Zortrium (1251080) | more than 4 years ago | (#29671641)

That's the kind of thing an idiot would have on his luggage!

Re:12345? (2, Funny)

FJGreer (922348) | more than 4 years ago | (#29671771)

But that's what's on my luggage!

Strong password (3, Funny)

war4peace (1628283) | more than 4 years ago | (#29671647)

See, that's why they got their accounts hacked. I use 67890 on all my accounts so I'm sure they'll never get hacked :)

Stronger password (1)

wsanders (114993) | more than 4 years ago | (#29672227)

As a hypothetical, since length is really what matters, I wonder how long it would take before something like

01234567890123 or even 0123456789

would get guessed?

My experience is that short passwords (less than 7 chars) are the ones that get guessed, even if they are "good" ones that have a mix of letters, number, and punctuation.

Re:Stronger password (1)

jonbryce (703250) | more than 4 years ago | (#29672729)

If Microsoft use NTLM hashes on their server, then even 14 characters won't be good enough.

much hype on this story (1)

ei4anb (625481) | more than 4 years ago | (#29671651)

for which definition of many?

$ grep gmail pwd.txt | wc -l
25

Re:much hype on this story (0)

Anonymous Coward | more than 4 years ago | (#29672335)

Did you try this as well?

$ grep googlemail pwd.txt | wc -l

Re:much hype on this story (1)

frenchbedroom (936100) | more than 4 years ago | (#29672403)

Faster to type :

$ grep -c gmail pwd.txt
25

Re:much hype on this story (1)

Xtifr (1323) | more than 4 years ago | (#29672563)

Yes, but overly specific to grep. "|wc -l" works with all sorts of commands, so it's often easier to stick with the most general solution, rather than trying to learn which specific commands have unnecessary, redundant features, unless performance is actually an issue. I often start with grep, and then realize that I've got to reduce the noise and mis-hits by extracting the fields I need with sed or some other tool, which is why I rarely bother to even remember that grep even has a "-c" option.

didnt even know hotmail was compromised? (0, Troll)

hydrolyzer (1637811) | more than 4 years ago | (#29671663)

good thing i got lucky and mine wasnt! www.viagra.com

I don't know.... (4, Funny)

Random2 (1412773) | more than 4 years ago | (#29671679)

This all sounds a bit....phishy to me.

Re:I don't know.... (0)

Anonymous Coward | more than 4 years ago | (#29672795)

YEEAAAAAH!

Where are the details? (5, Insightful)

Kadin2048 (468275) | more than 4 years ago | (#29671685)

All of the stories seem to be very short on details. How did the scheme work? How were they getting users to their site instead of Hotmail? Was it something stupid, like a spam email with a link? Or was it DNS forgery or something more subtle?

Everyone is reporting that it was a particularly big haul for a phishing campaign, but nobody seems to be reporting what the deal was, or why this was more successful than your typical, run-of-the-mill phishing attack.

Re:Where are the details? (1)

royallthefourth (1564389) | more than 4 years ago | (#29671835)

That's all very interesting stuff, but even more importantly: how do I know if I've been affected?

Re:Where are the details? (3, Funny)

John Hasler (414242) | more than 4 years ago | (#29671851)

> ...how do I know if I've been affected?

Are you a fool? If not you are ok.

Re:Where are the details? (0)

Anonymous Coward | more than 4 years ago | (#29671895)

Are you a fool?

Oh boy, he's totally screwed then....

Re:Where are the details? (3, Insightful)

royallthefourth (1564389) | more than 4 years ago | (#29671947)

> ...how do I know if I've been affected?

Are you a fool? If not you are ok.

If the source is something like DNS poisoning, then it's not that simple. I already know my ISP to be a bunch of fools, but I have little choice in that matter.

Re:Where are the details? (1)

John Hasler (414242) | more than 4 years ago | (#29672479)

The articles make it pretty clear that the sources are phishing attacks. In any case, though, the victim has to have used the same password for a Webmail account and a valuable one such as a bank account in order to be at risk of significant loss. In other words, be a fool.

Re:Where are the details? (2, Insightful)

MeBot (943893) | more than 4 years ago | (#29671967)

Your advice is not helpful. What percentage of fools think they are fools?

Re:Where are the details? (1)

swanzilla (1458281) | more than 4 years ago | (#29672407)

Your advice is not helpful. What percentage of fools think they are fools?

Approximately 12345 out of 123456.

Re:Where are the details? (4, Funny)

jim_v2000 (818799) | more than 4 years ago | (#29672095)

Ah, but only a great fool would fall for such an attack, and I am no great fool, so clearly I cannot click the link. But you must know that I am no great fool and thus I cannot not click the link....

Re:Where are the details? (0)

Anonymous Coward | more than 4 years ago | (#29672201)

I don't consider myself a fool, and I'm quite wary of phishing attacks. However, one of my gmail accounts was flagged for a password change on a couple days ago.

They just said 'suspicious activity' and didn't really tell me details.

I would assume it wasn't as simple as a 'Send us your login information so we can see if you won a million dollars' things.

Re:Where are the details? (0)

Anonymous Coward | more than 4 years ago | (#29672627)

Are you a fool? If not you are ok.

Fools always answer that with "No." People who aren't fools tend to answer with "Maybe."

But well done -- you've just encapsulated why programmers often do a bad job of developing interfaces.

Re:Am I affected (1)

flandar (639569) | more than 4 years ago | (#29671943)

If your password is even remotely similar to those listed, you should change it.

Re:Where are the details? (2, Informative)

Jeng (926980) | more than 4 years ago | (#29672001)

It was an email saying that ones inbox was too full and to reply with username and password to have the limit increased.

Re:Where are the details? (5, Informative)

CrossChris (806549) | more than 4 years ago | (#29672189)

How did the scheme work? How were they getting users to their site instead of Hotmail? Was it something stupid, like a spam email with a link?

It's trivially easy - remember, the affected fools were Windows "users". There was a huge spam campaign that sent mails that appeared to a casual glance, to come from Hotmail. The mails asked users to log in to "Hotmail" using a convenient link in the email, because their account would soon "time out" if it was not used. When they logged in to the spurious website, they were thanked for their prompt action, and then advised to log out and restart their browser "for security", and then to log in to Hotmail again (which, of course, would work normally).

There's one born every minute.....

Re:Where are the details? (1)

maxwells_deamon (221474) | more than 4 years ago | (#29672277)

From one article which was poorly written I think the plan was this:

1) From broken email account send to known email connections a note asking to visit cool shopping site
2) Victim goes to site and keylogger is installed
3) Sniff userid/password
4) Go to step 1

Not much actual phishing here but the article was poorly written and there were hints that they did not really know what was going on, they were just looking at list of broken accounts.

Re:Where are the details? (1)

Magrovsky (883765) | more than 4 years ago | (#29672303)

http://www.acunetix.com/blog/websecuritynews/statistics-from-10000-leaked-hotmail-passwords/ [acunetix.com]

According to security research Bogdan Calin, it seems like the passwords were gathered using phising kit, targeting the Latino community

Only 64 out of the 9843 valid passwords leaked were "12345", which indicates that it wasnt a brute force attack on stupid people. Still, the majority of the passwords leaked were weak (lower case or numeral only).

Re:Where are the details? (4, Interesting)

vanyel (28049) | more than 4 years ago | (#29672651)

Saturday, the small ISP I work for had about 1000 users targeting with phishing emails. It's becoming a nearly weekly occurrence, though that was the largest so far. I've had to setup scripts to scan the logs to see who got the messages, send them warning messages, then scan the logs again to see who replied and reset their passwords. In one case, we had a spammer using a responder's account to try to send spam within 2 hours of the response. Squirrelmail is the most common vector, with smtp auth not uncommon. I've had to impose strict rate limit controls on squirrelmail to keep from getting blacklisted all the time; I've got monitors to page me when smtp auth rates get too high, but the false positive rate is to high to impose hard limits at the moment, though we're heading in that direction.

BTW, it's not a good idea to respond to phishers with "F! off" etc: more than one responder doing that has found their address used shortly thereafter in the From of the next round of spam...

Re:Where are the details? (1)

Havokmon (89874) | more than 4 years ago | (#29672797)

All of the stories seem to be very short on details. How did the scheme work? How were they getting users to their site instead of Hotmail? Was it something stupid, like a spam email with a link? Or was it DNS forgery or something more subtle?

Everyone is reporting that it was a particularly big haul for a phishing campaign, but nobody seems to be reporting what the deal was, or why this was more successful than your typical, run-of-the-mill phishing attack.

I run an email service, and regularly get emails like this:

From: Support@MyService
Subject: Service Upgrade

Please send your password so we can migrate your account to our new servers..

Everytime it happens I block the sender and recipient addresses, and grep the logs to verify nobody fell for it. If I'm quick enough, it doesn't matter, but people have fallen for it before I see the fake email.

Rick

Ban them. (4, Insightful)

Magrovsky (883765) | more than 4 years ago | (#29671881)

People with "12345" or similar passwords should get their own internet, where they would be allowed to share lolcatz and powerpoint chains, play with their purple internet buddy, and zap those cute webmonkeys on banners without hurting themselves. Alternatively, maybe the webmail providers should set more strict rules for the passwords.

Re:Ban them. (3, Funny)

Killer Orca (1373645) | more than 4 years ago | (#29671941)

People with "12345" or similar passwords should get their own internet, where they would be allowed to share lolcatz and powerpoint chains, play with their purple internet buddy, and zap those cute webmonkeys on banners without hurting themselves. Alternatively, maybe the webmail providers should set more strict rules for the passwords.

Hey I play with my purple internet buddy each time I go on the computer and have never hurt myself or anyone else!

Re:Ban them. (1)

fprintf (82740) | more than 4 years ago | (#29672423)

If your buddy turns purple, you're doing it wrong.

Re:Ban them. (5, Funny)

ibsteve2u (1184603) | more than 4 years ago | (#29672041)

People with "12345" or similar passwords should get their own internet, where they would be allowed to share lolcatz and powerpoint chains, play with their purple internet buddy, and zap those cute webmonkeys on banners without hurting themselves.

Didn't they use to call that "AOL"?

Re:Ban them. (1)

Cocoronixx (551128) | more than 4 years ago | (#29672105)

.... Meant to mod this 'Insightful' mouse decieded it was 'Redundant' Cool how slashdot 2.0 has a (mandatory) preview for messages, but not for moderation.

Re:Ban them. (0)

Anonymous Coward | more than 4 years ago | (#29672371)

Maybe you just need an idiot-proof mouse (HINT: advertising your clumsiness is a really big clue). We certainly can't expect slashcode to be idiot-proof, since it's actually written by idiots. :P

Re:Ban them. (2, Insightful)

rocketPack (1255456) | more than 4 years ago | (#29672279)

Something tells me that the majority of these accounts were probably never really used. They are probably throw-away emails, created to get that "One day free pass" to various porn sites, or as general spam-traps.

I think it ought to be policy that derelict accounts, ESPECIALLY those which have weak passwords, be 'locked' after a period of inactivity. Reactivation could be accomplished with, say, a series of difficult CAPTCHAs so the account is always able to be 'revived' but not hijacked like this.

It just seems irresponsible to have such a lack of control over these kinds of things...

Re:Ban them. (0)

Anonymous Coward | more than 4 years ago | (#29672591)

You know what ph1shing even means?

If these are throwaway accounts (for which all the sane people use dedicated services like slopsbox these days), then why the hell are those users taking ph1shbait? Besides, generally the people who can be ph1shed aren't clever enough to use throwaway accounts to block spam. I guess your pr0n example makes sense, but still leaves wtf they would be reading the ph1shbait if they already tossed the account.

a scary thing of manipulating URL? (1)

k6mfw (1182893) | more than 4 years ago | (#29671901)

I get these phishy emails all the time but I look at the actual URL and see it is not actually coming from the service or agency. One time I saw it vectored to a site which I did a whois lookup of the domain name and it listed the name, address, and phone number of someone in southern Calif (not China). However, the scary thing is what happens if these people figure a way to "scoop" or "fraud" (whatever) the URL displayed on bottom of my browser window and in the address bar? But on identity theft they say most of it was done with basic skills like going through someone's trash or bank employees (72% of banks report employees committed fraud).

Re:a scary thing of manipulating URL? (0)

Anonymous Coward | more than 4 years ago | (#29671991)

I've adopted the personal policy that I never click on a URL in an email. Go to the site manually if it's something worth viewing.

Fake URLs, DNS spoofing shouldn't matter (1)

wsanders (114993) | more than 4 years ago | (#29672333)

The point to get across is that no (reputable) service or agency will ever, ever send you an email asking you to fill in and email back ANYTHING anymore.

If I were to ever get a legitimate email from my bank or credit card asking for personal information, I would call them as ask them WTF they were doing.

My estimate is that your average stupid phishing victim is just as likely to reply with their personal information regardless of whether the email is obviously fake.

Top 20 Passwords (2, Informative)

osomoore (1446439) | more than 4 years ago | (#29672011)

Top 20 most common passwords:
123456 - 64
123456789 - 18
alejandra - 11
111111 - 10
alberto - 9
tequiero - 9
alejandro - 9
12345678 - 9
1234567 - 8
estrella - 7
iloveyou - 7
daniel - 7
000000 - 7
roberto - 7
654321 - 6
bonita - 6
sebastian - 6
beatriz - 6
mariposa - 5
america - 5

From 2 links deep (http://www.acunetix.com/blog/websecuritynews/statistics-from-10000-leaked-hotmail-passwords/)

Re:Top 20 Passwords (2, Interesting)

Teun (17872) | more than 4 years ago | (#29672053)

Which tells me there is an unusual number of Latino users among the 10K.

Re:Top 20 Passwords (1)

clone53421 (1310749) | more than 4 years ago | (#29672165)

Baloney. Everyone knows the most commonly used password is "password1".

Re:Top 20 Passwords (1)

jonbryce (703250) | more than 4 years ago | (#29672777)

You should use something like P@55W0rd. Then nobody will guess it.

Unencrypted passwords? (1)

jhumkey (711391) | more than 4 years ago | (#29672087)

So Unix is 40 years old, and knew at birth what Microsoft still hasn't figured out. Its a bad idea to store unencrypted passwords. Got it.

Re:Unencrypted passwords? (2, Informative)

4D6963 (933028) | more than 4 years ago | (#29672205)

Huh??? I thought that was collected by phishing? Yeah, sorry for getting in the way of your ritual MS bashing, but it's something that can affect any service since it's essentially social engineering. Kind of.

Re:Unencrypted passwords? (1)

operagost (62405) | more than 4 years ago | (#29672237)

It's phishing. The passwords weren't stored encrypted; they were collected directly via the fake server. Also, please correct me if necessary, but wasn't the original passwd "encryption" just some kind of weak hash?

Re:Unencrypted passwords? (0)

Anonymous Coward | more than 4 years ago | (#29672771)

By modern standards, yes, it was not very good.

Stronger than WfW was using >20 years later, though.

Still, the real difference of modern UNIX passwords isn't the newer hashes, but the shadow passwords, where encrypted passwords aren't stored in a world-readable file, so grabbing the whole file and cracking offline is no longer possible without root. (And if they've got root, they don't need the passwords that bad. Still could be useful if the users they may be using the same passwords elsewhere, of course, but you should be much more concerned about the attacker owning your box _now_ than possibly guessing your users webmail passwords in the future.)

Re:Unencrypted passwords? (1)

SnarfQuest (469614) | more than 4 years ago | (#29672253)

Remember, its "I before E, except after C"

there are a lot of really smart people who can't remember this rule. Einstein really had a problem with it.

Re:Unencrypted passwords? (0)

Anonymous Coward | more than 4 years ago | (#29672475)

Remember, its "I before E, except after C"

there are a lot of really smart people who can't remember this rule. Einstein really had a problem with it.

I didn't realize Einstein's name was English and subject to English spelling rules.

Re:Unencrypted passwords? (0)

Anonymous Coward | more than 4 years ago | (#29672451)

Got it.

The only thing you "got" is laughed at. What an idiot.

Social Engineering (0)

Anonymous Coward | more than 4 years ago | (#29672161)

Whats the fuss here? This sort of social engineering has been going on for a long time whether it is a mail server or ebay. I'm not saying the facts are not true ... but I'd bet this has been going on for years.

filestube (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#29672245)

http://www.filestube.com/

I dunno about You, but this site makes me waht to log in with my youtube/google/gmail password.

That's the stupidest combination I've ever heard.. (-1, Redundant)

Anonymous Coward | more than 4 years ago | (#29672391)

That's amazing! I've got the same combination on my luggage!

What I don't get... (1)

mrbene (1380531) | more than 4 years ago | (#29672443)

Is why it's a "leak" if phishing was the method used to acquire the list. Or why it's still referred to as a "bug". Some sort of bug in the Human OS, right near the gullibility logic loop?

Dear Goldman Sachs: (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#29672477)

Date: Wed, 7 Oct 2009 05:10:44

From: "kareem salami" kareemsalami@excite.com

PRIVATE BUSINESS PROPOSAL.

Dr. Kareem Salami

No. 16 Kingsway Road

Ikoyi, Lagos

Nigeria.

Tel/Fax: 234-1-7747907

7th March, 2009.

First I must solicit your confidence in this transaction.This is by virtue of its nature as being utterly confidential and top secret.

We are top officials of the Federal Government Contract Review Panel who are interested in importation of goods into our country with funds which are presently trapped in Nigeria. In order to commence this business we solicit your assistance to enable us RECIEVE the said trapped funds ABROAD.

The source of this fund is as follows : During the regime of our late head of state, Gen. Sani Abacha, the government officials set up companies and awarded themselves contracts which were grossly over-invoiced in various Ministries. The NEW CIVILIAN Government set up a Contract Review Panel (C.R.P) and we have identified a lot of inflated contract funds which are presently floating in the Central Bank of Nigeria (C.B.N).

However, due to our position as civil servants and members of this panel, we cannot acquire this money in our names. I have therefore, been delegated as a matter of trust by my colleagues of the panel to look for an Overseas partner INTO whose ACCOUNT the sum of US$31,000,000.00 (Thirty one Million United States Dollars) WILL BE PAID BY TELEGRAPHIC TRANSFER. Hence we are writing you this letter.

We have agreed to share the money thus:

70% for us (the officials)

20% for the FOREIGN PARTNER (you)

10% to be used in settling taxation and all local and foreign expenses.

It is from this 70% that we wish to commence the importation business.

Please note that this transaction is 100% safe and we hope THAT THE FUNDS CAN ARRIVE YOUR ACCOUNT in latest ten (10) banking days from the date of reciept of the following information by TEL/FAX:

234-1-7747907: A SUITABLE NAME AND BANK ACCOUNT INTO WHICH THE FUNDS CAN BE PAID. PLEASE ENDEAVOUR TO RESPOND BY TELEPHONE OR FAX.

The above information will enable us write letters of claim and job description respectively. This way we will use your company's name to apply for payments and re-award the contract in your company name.

We are looking forward to doing business with you and solicit your confidentiality in this transaction.

Please acknowledge receipt of this letter using the above Tel/Fax number. I will bring you into the complete picture of this pending project when I have heard from you.

Yours Faithfully,
DR. KAREEM SALAMI.

It's a Phisher, Not a Bug (1)

Rary (566291) | more than 4 years ago | (#29672517)

...many are pointing to the same bug that claimed at least 10,000 passwords from Microsoft Windows Live Hotmail.

Phishing is not a "bug". A bug would mean this was some Microsoft developer's fault. There is nothing a developer can do to prevent someone from conning someone else into giving up their password.

Re:It's a Phisher, Not a Bug (1)

jonbryce (703250) | more than 4 years ago | (#29672791)

Their spam filter could do a better job of catching emails that puportedly come from Microsoft but didn't go from their servers.

PC Pro Got It Wrong (Slightly) (1)

Rary (566291) | more than 4 years ago | (#29672715)

The PC Pro article linked to in the summary misquoted its own source. It claims that "12345" is the most common password, however the source it links to actually shows "123456" as the most common password. "12345" doesn't even make the list.

There really aren't that many users using those "common" passwords. Only 82 users use the top two passwords, which make up only 0.8% of all the passwords in the list. Only 1.56% of the accounts used a top-10 password.

The rest of the information at the Acunetix link is quite interesting, though. The evaluation determines that only 6% of all the passwords used a combination of alpha, numeric, and other characters.

31415 (5, Funny)

bzzfzz (1542813) | more than 4 years ago | (#29672793)

News Flash: 10,000 Slashdot accounts compromised in phishing scam. Most common passwords were 31415 and 0xdecafbad.

Affected users have been placed on an isolated network where they can't do anything but post whinges about Microsoft and Apple to a web server that runs SSL using a self-signed certificate and actually follows the RFCs.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?