Attacks/Breaches
12/5/2013
10:32 AM
Connect Directly
RSS
E-Mail

2 Million Stolen Passwords Recovered

The stash includes purloined Facebook, Google, Twitter, and Yahoo access credentials. Researchers promise to help people who were affected.

(Source: Image courtesy of Flickr user david.nikonvscanon)
(Source: Image courtesy of Flickr user david.nikonvscanon)

Comment  | 
Print  | 
Comments
Newest First  |  Oldest First  |  Threaded View
LetsTalkPaymnts
50%
50%
LetsTalkPaymnts,
User Rank: Apprentice
12/7/2013 | 3:11:48 AM
Fraud is growing
Even in other sectors like Payments fraud is creating issues http://letstalkpayments.com/fraudsters-make-hay-sun-shines-payment-system-attacks/
Kristin Burnham
50%
50%
Kristin Burnham,
User Rank: Apprentice
12/6/2013 | 9:44:30 AM
Re: Passwords are meaningless without privacy!
Facebook reportedly alerted those users whose account information was stolen (and it probably wouldn't have been that difficult for a hacker gain access anyway: I read that most of the passwords were along the lines of "password" or "123456").
Mathew
50%
50%
Mathew,
User Rank: Apprentice
12/6/2013 | 8:23:14 AM
Re: website logins
Definitely, and to be fair, the company suggested it was working on a range of responses. I'd expect that if it hasn't done so already, it will feed the details to larger online service providers. But for stolen email and FTP credentials, that might not be feasible, if their numbers are too great?
WKash
50%
50%
WKash,
User Rank: Apprentice
12/5/2013 | 11:05:31 PM
Passwords
Another reason why it's time we move beyond passwords to protect our privacy.

 
chrisp114
50%
50%
chrisp114,
User Rank: Apprentice
12/5/2013 | 10:35:46 PM
Passwords are meaningless without privacy!
So what if your facebook account is hacked. Don't you know that facebook is already scanning your information and making it available to other businesses and government? Everyone should consider using privacy-based services such as Ravetree, DuckDuckGo, and HushMail.
mak63
50%
50%
mak63,
User Rank: Apprentice
12/5/2013 | 7:22:36 PM
website logins
We are [intending] to create a page, so users can check whether their account was compromised

Instead of creating a page with almost 1.6 million stolen website logins, isn't it easier to contact the companies involved (Google, FB, Yahoo, etc) so these companies can contact each affected person?

Lorna Garey
50%
50%
Lorna Garey,
User Rank: Ninja
12/5/2013 | 5:48:16 PM
Recovered the right term?
These passwords were detected - "recovery" implies getting the horse back in the barn.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-4973
Published: 2014-09-23
The ESET Personal Firewall NDIS filter (EpFwNdis.sys) driver in the Firewall Module Build 1183 (20140214) and earlier in ESET Smart Security and ESET Endpoint Security products 5.0 through 7.0 allows local users to gain privileges via a crafted argument to a 0x830020CC IOCTL call.

CVE-2014-5392
Published: 2014-09-23
XML External Entity (XXE) vulnerability in JobScheduler before 1.6.4246 and 7.x before 1.7.4241 allows remote attackers to cause a denial of service and read arbitrary files or directories via a request containing an XML external entity declaration in conjunction with an entity reference.

CVE-2014-6646
Published: 2014-09-23
The bellyhoodcom (aka com.tapatalk.bellyhoodcom) application 3.4.23 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-6647
Published: 2014-09-23
The ElForro.com (aka com.tapatalk.elforrocom) application 2.4.3.10 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-6648
Published: 2014-09-23
The iPhone4.TW (aka com.tapatalk.iPhone4TWforums) application 3.3.20 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

Best of the Web
Dark Reading Radio