How security-teams deal with leaking passwords
Finally: I have "The List" - I even posted where it is to find, for what I read was, that the security-teams of the major providers affected did their work properly deactivating all the affected accounts.
This is currently, three days after (early October 9th) NOT true. I removed the links from the previous posting, even if it is not so hard to find the lists using your favorite searchengine.
First of all, a bit of statistics:
The one BIG list is around 24.530 lines long, hosting a few double accounts. A quick check reveals (amongst many others):
- 592 gmail.com-accounts with password
- 22 googlemail.com-accounts with password
- 13.098 hotmail.com-accounts with password
- ~800 other hotmail-tld-accounts with password
- 477 msn-com-accounts with password
- 3.717 yahoo.com-accounts with password
- 971 aol.com-accounts with password
- 347 comcast.net-accounts with password
- 41 facebook-accounts with password
- 2 amazon-com accounts with password
- 6 ebay-accopunts with password
A phishing-scam is likely to be the source, lines like
Not Telling! michelle!
indicate that at least a few victims were clever enough not to enter their real mailadress.
The bad guys obviously checked the at least some of the victims inboxes and extracted facebook, amazon, ebay and bulletinboard-stuff manually to put it on the list. This is very incomplete and only done for a handful of the listed accouts.
Tonight I took some time to dig deeper, i couldn't resist to check a few accounts. I found the results quite interesting:
Google did a fine work. None of the gmail-accounts checked did work. And i checked quite a few.
Surprisingly Ebay did a fine work too. All checked ebay-accounts had either the password changed or the account locked. This looks like this:
I checked further. Major media told that microsoft did suspend or otherwise protect the affected hotmail-accounts.
This is obviously not completely true, for i found a few of the hotmail-accounts still working, funny enough many of them swedish!
Hence whats to be found in the inbox of the poor guys:
A security-warning with account-suspension from facebook.com. Good guys, too. But ugly, if the warning is sent to a Mailaccount that is also compromised.I got really disturbed when i checked the yahoo-accounts: A huge load of them is working.
Many of these InBoxes are stuffed with password-resets, security-hints or abuse-reports from other sites: Onlineshops, Bulletin-Boards, Web20-stuff. This leads to the conclusion that the accounts are circulating and actively exploited: Not only the mails, but also all other accounts depending on these inboxes. Password-Reset-Mails get sent there...
Yahoooooo. Wakeup-Call. Any security or customer service-stuff left at your offices?
I censored the links in my earlier blogposting, for i realized that so many accounts still work.
To sum it up:
Some, even if not really affected, acted fast and complete: Ebay suspended the accounts. Facebook sent warnings. Google seems to have fixed all accounts listed.
Security-guys over at Microsoft did a rather incomplete work, while the company pretends to have blocked all of the accounts listed.
Yahoo seems to have done nothing. (Did anybody at yahoo do anything in the last 2 years??)
Compliments go to google, facebook and ebay: I admit that i don't like the whole trio, but they silently did a fine job where others failed.
Note: This data is only gathered by examining ONE of the two lists mentioned by the bbc-article.
The second list has 10.030 lines and is also still publicly available. It hosts accountnames in alphanumeric order starting with A and B (ending with blan____13@hotmail.com:an_____ey) - this leads to the suggestion that there must be more HUGE lists containg accounts with C to Z.
Category Article Security
