Passwords hacked by the malware program Pony is affecting anyone who is on the worldwide "web" using email services, Facebook, Twitter, Google, LinkedIn, Yahoo, and other website accounts. It has many wondering whether their password was hacked. “More than 2 million Facebook, Google and other accounts have been compromised, security experts warn, compromising countless accounts and leaving Internet and financial companies scrambling,” reported Fox News on Dec. 5, 2013.
“The information security company Trustwave has revealed that the passwords to 2 million different accounts have been compromised. The malware program Pony forwarded the vast majority of the passwords to a central server in the Netherlands,” reported ABC News.
Unlike other password hacks, the malware program Pony was not a hack into any company’s server but it was actually a hack into individual personal computers via e-mail since the malware program Pony is being sent through spam links.
Also unlike previous password hacks, passwords obtained through Pony were not publicly posted but are most likely used to be sold to other hackers who can then use the passwords to access bank and other financial accounts.
Here is the breakdown of which accounts were affected the most:
- 318,000 Facebook accounts
- 70,000 Google accounts, including Gmail, YouTube and Google+
- 60,000 Yahoo accounts
- 22,000 Twitter accounts
- 9,000 accounts from Russian social network Odnoklassniki
According to Trustwave, here is a breakdown of the type of accounts that had passwords hacked:
- 1,580,000 website login credentials stolen
- 320,000 email account credentials stolen
- 41,000 FTP account credentials stolen
- 3,000 Remote Desktop credentials stolen
- 3,000 Secure Shell account credentials stolen
Password hackers and buyers of passwords love the fact that many people use the same password for different websites and that social network sites like Facebook provide a lot of personal information like birthdays, birth places, schools attended, and favorite pets – the kind of security questions that are frequently asked by banks.
Selling hacked passwords takes time or hackers might intentionally keep the passwords on ice until no one pays attention anymore. Former chief security officer for MySpace.com, Hemu Nigam, commented that “the other thing that everyone needs to worry about is sometimes hackers will obtain compromised account and then not do anything with them until 3 to 4 months later. So it's something to keep our guard up,"
So how do you know if your password has been hacked by Pony?
If your password has been hacked on any social media site or other website, don’t expect to receive an email informing you about a possible security breach. If your password is one of those that have been hacked, you will most likely find that when you try to access a website, you will be asked to reset your password.
According to John Miller, security research manager at Trustwave, many website services have already taken action and are asking those whose passwords have been compromised by hackers to reset their password.
John Miller said that Trustwave analyzed the passwords that were compromised in this latest hack and noticed that “foolish” passwords were affected the most. “The most common password was 123456. In addition, nearly half of all passwords used a single character type, such as all lowercase letters or all numbers.” This includes using “Password” as a password.
If you used “easy” passwords like any of the above, the likelihood of being one of those millions of hacked passwords is increasing.
Instead of waiting to find out the hard way that your password has been hacked, below are 10 tips on what you can do now:
- Keep an eye on your bank and credit card statements for any signs that your password might have been hacked.
- If you have used an “easy” password, replace your password with a more difficult one.
- Even if you are already using a complex password, it might be a good idea to revisit important websites (including social media sites) and reset your passwords.
- For a better password, use a mix of uppercase, lowercase, numbers, and special characters.
- If possible, use longer passwords of 16 or more characters.
- Keep your anti-virus software up to date.
- Pay attention to browser updates and security patches
- Use a different password for each different website. (Using a different password for each different website is comparable to using a different key for your car, your house, or your locker. How many people would use their car key as their house key?
- Do not give out your birth date, place of birth, favorite pet, middle names, names of parents, or any answer to a security question that might be asked by a bank where anyone can see it, such as on Facebook.
- Do not click on links that are being sent through your email, even if the email comes from a trusted source.
Not clicking on an email link from a family member or a friend is one of the hardest things to do. And hackers are well aware of that.
Having been able to hack a Facebook password makes it even easier for hackers to determine whether to send a spam email under a family member’s name or under a friend’s name. Since Facebook also tells hackers where all of those people live, even their birthdays, etc., makes it even easier for hackers to make an email look trustworthy – how convenient.
This latest incident of passwords hacked by the malware program Pony is a crucial reminder why the worldwide web is called a “web.” Any information, including passwords, that is put on the “web” will stick like in a spider web and can become prey to anyone.