Passwords hacked by those who are peering over your so-called digital shoulder total into the millions, reports ABC News on Thursday. In one of the largest password mining scandals, over two million passwords were hacked from the Internet’s most popular destinations – Facebook, Google accounts and Twitter.
The information security company Trustwave reported their findings on SpiderLab, the official blog site of Trustwave, who describe themselves as an “elite team of ethical hackers.”
According to their findings, the hacked passwords were from over two million different accounts, and break down as follows:
- 1,580,000 website login credentials stolen
- 320,000 email account credentials stolen
- 41,000 File Transfer Protocol account credentials stolen
- 3,000 Remote Desktop credentials stolen
- 3,000 Secure Shell account credentials stolen
After the passwords were mined, a malware program forwarded the vast majority of the passwords to a central server in the Netherlands.
“It was the individual users' computers that had the malware installed on their machine,” said John Miller, security research manager at Trustwave. “These passwords were never publicly posted. We can't say for sure, but [the hackers] were probably going to sell them.”
Miller said many of the hacked passwords were simple ones, such as consecutive numbers like 12345 or passwords with all lowercase or uppercase letters without any special characters. Most of the users whose accounts were hacked have likely already been notified, and need to create passwords that are more robust.
Miller’s advice to avoid a password hack?
“For a better password, we recommend a mix of uppercase, lowercase, numbers, and special characters,” said Miller. “We also recommend using longer passwords of 16 or more characters, as well as using different passwords on different websites.
“Keep your anti-virus software up to date and make sure your browsers are updated and patched to the latest version,” Miller said. “And above all, don't click that suspicious looking link in your email. [The malware] is sent through spam links.”