A series of leaks were reported by Russian media, affecting local services Mail.ru and Yandex, as well as Gmail: a reported leak from Gmail.com accounts for almost 5 million logins and passwords. It had been preceded with similarly massive leaks from two leading Russian free email providers – Mail.ru (over 4 million) and Yandex.ru (~1 million passwords). While not disastrous by today’s “standards”, it is a wake-up call for those relying on passwords alone, without any “plan B” for occurrences such as this one.
Both Yandex and Mail.ru responded quickly, reporting that the majority of the compromised accounts are either “dead” or bot-created. Also, both companies insist this leak isn’t a result of a single, targeted “gathering” operation, but rather a consequence of long-lasting malware activity on the victims’ PCs.
A large number of mail password leaks: what gives?
Tweet
“We have been aware of 85% of the compromised accounts for a long time, thanks to analysis of their behavior or some other ways,” Yandex representatives said. “We have warned their owners and attempted to make them change passwords, but they haven’t done it. That means that these accounts are either abandoned or created by robots.”
Similar statements were made Mail.ru, stating that the leaked passwords is the consequence of the malware activity and the victims visiting malicious sites. The company also said that 95% of the leaked accounts have been blocked ahead of the leak.
Then there was Google’s turn. Actually, the company reacted publicly ahead of the actual publication of the leaked passwords: A day before those passwords surfaced, the company warned some of its e-mail service users about an attack by the “government-backed hackers” (It did not mention which government of which country is presumably behind this attack). Gmail has issued this kind of warnings since 2012.
The next day, the passwords leaked and now lots of people are taking their time checking whether they are among the affected. It is much more appropriate just to change your password ASAP.
It doesn’t seem like there is a disaster in the works: nothing like #heartbleed, for instance. But the collateral damage may be a bit larger than the direct one. The question is, whether the same passwords could be used elsewhere?
An average Web user has to memorize up to several dozens of passwords, so it’s quite tempting to use similar, or even the very same, combinations.
And that’s a Big Mistake: Crooks count on that. It’s quite certain that script-kiddies are currently sifting through those “mostly inactive” passwords looking to use them at different resources.
Although if they are really “harvested” with malware, criminals already know everything – both resources and passwords.
Passwords themselves are not an ideal protection. Even when they are a solid combination, and not something of 1234qwerty sort. Criminals have a fair amount of various “picklocks”, so the passwords will be cracked if necessary. Especially if the same ones are used for years.
But hackers will steam themselves out dealing with two-factor authentication, electronic tokens and other means of passwords reinforcement. Yeah, sure, there are Zitmo and Spitmo (By the way, what a name for a comic about two hapless clowns), stealing mTANs straight from your phone. But your phone is already equipped with everything necessary, isn’t it? :-)
Passwords should be approached “religiously”: there are “sins” and “virtues”
Tweet
All in all, passwords should be approached “religiously”, especially in the business sphere. Appropriately, are certain “deadly sins” and “virtues” of the business infosec.
Sins:
- 1234 and asdfghj passwords
- Using the same passwords for a number of various resources
- Using the same password for more than half a year
- A yellow paper with a password written stuck to your monitor for all to see – a great sin too.
Change your passwords and sin no more.
And about virtues:
- Multifactor authentication
- Tokens
- Passwords long as an airstrip for military bombers
- Encrypted storage of the passwords
Surely, it’s a chore to memorize such combinations, but again, there are password managers that allow you to use only one password for all of the resources visited. That makes things much less painful.