In all, the hackers have lifted 1.58 million website logins, 320,000 email account credentials, 41,000 FTP account credentials, 3,000 Remote Desktop credentials and 3,000 Secure Shell account credentials, according to Trustwave SpiderLabs. At first blush it seemed to be a targeted attack on the Netherlands, but it turns out that the perpetrators were using a reverse proxy to throw researchers off. The indications, Trustwave said, point to an attack is fairly global and that at least some of the victims are scattered all over the world.
Most of the data is from log-ins for popular websites and services such as Facebook, Google, Yahoo, Twitter and LinkedIn, but vk.com and odnoklassniki.ru, two social network websites aimed at Russian-speaking audiences, are also in the top 10.
“Another interesting item on the list is the payroll service provider adp.com,” said Trustwave researchers Daniel Chechik and Anat (Fox) Davidi, in a blog. “It is only natural to have such domains in the mix, but it is surprising to see it ranked No. 9 on the top domains list. Facebook accounts are a nice catch for cyber criminals, but payroll services accounts could actually have direct financial repercussions.”
The investigation found that the attack spiked at the beginning but was otherwise fairly stable and consistent in its daily “revenue” of passwords, which were largely of the poor strength variety.
Absent the ability to track the attack by geography, the researchers decided to use the sheer amount of data to perform password analysis. The results were “far from what your CISO would like to see,” they noted.
“Since we couldn’t think of anything to do with two million credentials for popular websites, social media, and email accounts, we decided to make some use of the quantity to look into users' password selection habits,” wrote Chechik and Davidi. “Unfortunately, there were more terrible passwords than excellent ones, more bad passwords than good, and the majority, as usual, is somewhere in between in the medium category.”
For analysis, passwords that use all four character types and are longer than eight characters are considered excellent, whereas passwords with four or less characters of only one type are considered terrible.
The researchers also compared the data with data from a comparably sized MySpace account compromise in 2006. Back then, the top 10 most common passwords comprised only 0.9% of the total count. today, in 2013, they add up to 2.4%.
“This could be a result of MySpace having a minimum complexity policy, while in our data we have various domains with differing password complexity requirements,” the two said. “If our hypothesis is true, then the inevitable conclusion is that people still choose comfort over security. If you don’t enforce a password policy, don’t expect your users to do it for you.”
The analysis also compared the length of passwords in this recent compromise to the MySpace leak. In 2006 about 1.9% of passwords were just five characters or smaller. Today this number has tripled to 6.6%.
The majority of passwords were, and still remain, within the six-to-nine-character range.
“But not all hope is lost, it seems that more people are willing to go the extra mile and set a long password (if not a complex one),” the two concluded. “Back in 2006 only 17% had a password of 10 characters or longer. In 2013 we see an impressive ascent to 46%!”