Update on stolen webmail accounts

I wrote yesterday about the compromise of several thousand Hotmail accounts. Apparently, other webmail services were targeted too. There seems to be another list of about 20,000 accounts belonging to GMail and Yahoo among others that have also been compromised.

Since the account credentials were stolen using a phishing attack rather than breaking into the websites themselves, the security of these webmail services are not in question. Actually, the fact that so many sites were affected, according to some people, indicates some other type of attack. For instance it could be a keylogger attack. But a keylogger attack will result in a compromise of not just webmail accounts, but other accounts such as banks, photo sites, etc. As of now, the evidence does not indicate that scenario. While it might be possible that the attackers are holding back from misusing all the credentials right away, it is unlikely, since the publicity surrounding this compromise would result in increased monitoring of sensitive accounts such as banks.

Another interesting fact came out. A researcher looked at the first list of 10,000 Hotmail accounts and what do you think was the most popular password? “12345” came up 64 times in the list. While the problem may appear to be the users for selecting such a simple password, part of the blame lies with the websites too for allowing such passwords in the first place.

The news item is not headlined “Average Joe’s credentials stolen”. It is “Microsoft Hotmail accounts stolen”, which hits the website’s reputation more than the individual user. While there has been pages and pages written about the need for strong passwords, enforcement is imperative. We have seen repeatedly, one example is the twitter breach, that even people who know about security sometimes use weak passwords.

While some sites enforce strong passwords, some do not, while others take a hybrid solution that lets users select an option to enforce strong passwords. I have performed vulnerability assessments on many applications that are sold as products or services over the web that take the last option. In my opinion, weak passwords are old issues that we should not even have to deal with in this day and age.