Incident Response, Malware, TDR

Discovery of two million hacked credentials, ‘123456’ is again the common password

Researchers with SpiderLabs, the advanced security team with information security company Trustwave, discovered a treasure trove of nearly two million pilfered credentials from a variety of companies, including Facebook, Google, Yahoo, Twitter, LinkedIn and payroll service provider ADP.

The theft involved credentials for about 1.5 million websites, 320,000 email accounts, 41,000 FTP accounts, 3,000 remote desktops and 3,000 secure shell accounts, according to a Tuesday post, which shows that passwords were stolen from about 320,000 Facebook accounts, 70,000 Google-related accounts, 60,000 Yahoo accounts and 22,000 Twitter accounts.

The credentials were plundered courtesy of a Pony botnet controller that has a robust array of features, such as statistics, a control panel, user management, logging features and a database to manage all the data.

“Pony steals credentials in two ways,” John Miller, security research manager at Trustwave, told on Wednesday. “First is by searching for stored passwords in browsers, email clients, FTP tools and other software configuration files. Second is by monitoring browser traffic to identify when users are logging into a website and stealing the credentials as they are being sent.”

Trustwave researchers were not able to identify exactly what the attacker was doing with the credentials, Miller said, but he explained that email and social media accounts are usually sold in bulk for use in spam campaigns. He added that FTP and SSH credentials fetch a higher price because they often provide access to web servers where attackers can host botnet controllers or exploit kits.

“A quick glance at the geo-location statistics would make one think that this attack was a targeted attack on the Netherlands,” according to the post, which shows about 2,000 passwords were stolen from the United States. “Taking a closer look at the IP log files, however, revealed that most of the entries from [the Netherlands] IP range are in fact a single IP address that seems to have functioned as a gateway or reverse proxy between the infected machines and the command-and-control server, which resides in the Netherlands as well.”

Pony is a standard threat that can be combated by keeping internet browsers patched and anti-virus software updated.

“Since oftentimes attackers target employees at a business in order to gain access to a business's sensitive information, businesses should also take precautions and have security technology in place that can help prevent exploitation and infection by monitoring web traffic, and can alert IT staff when an infected machine attempts to communicate to its command-and-control server,” Miller said.

Of the two million compromised accounts, more than 15,000 of them used ‘123456' as a password, according to the post, which also shows that about 5,000 accounts used ‘123456789' as a login code and roughly 3,000 used ‘1234' as a password.

Numbers appear to be a common theme in exposed passwords these days. Nearly two million accounts used ‘123456' as a password in the October breach of Adobe that affected 38 million customers and, similarly, about two million accounts used ‘123456' as a password in the November breach of dating website company Cupid Media, which affected about 42 million customers.

“Don't reuse passwords across services in order to limit your exposure should one of your accounts be compromised,” Miller said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.