Posted inNews

Exposed! The passwords leaked in phishing scam

List of popular passwords in phishing scam that affected thousands of Hotmail, Gmail and Yahoo! accounts has been revealed

by ITP Staff
by ITP Staff

Most of the passwords leaked as part of a recent phishing attack involving 30,000 email accounts have been identified as weak by security firm Sophos.

An anonymous user posted the passwords of 10,000 Hotmail passwords online on October 1st, which Microsoft subsequently took down. The company had to block access to affected accounts with users asked to fill out a form online to reclaim access. Days later, the BBC revealed that passwords from other service providers like Yahoo!, AOL and Gmail were also targeted by the large-scale phishing attack, with reports that close to 30,000 accounts are now involved.

While there’s no information on exactly who’s responsible just yet, the scam has brought online security to the spotlight internationally. A researcher from the security firm Sophos, who had the chance to quickly analyse the list of phished email addresses and passwords, revealed that the most popular passwords were “insecure”. These include:

neopets
123456
monkey
123321
tigger
password
princess
pokemon
kitty
casper
123456789
neopet
anime
iloveyou

“As well as being insecure, these passwords suggest a preoccupation with children’s popular culture,” wrote Paul O Baccas in a blog post for Sophos.

There’s a debate raging on whether the password list is a result of traditional spam phishing campaigns or something entirely new, but Baccas believes that a rogue social networking application could be at play this time around.

Trend Micro, another security firm, has downplayed the scale of attack. “What is surprising is not really the amount of accounts affected. It is only the fact that so many were exposed publicly that is surprising,” writes spokesman Rik Ferguson.

“There is a thriving underground market in stolen email account credentials and the numbers of accounts for sale on any given day easily number over the 30,000 or so that have been exposed in this latest story….This is not a ‘massive phishing campaign’ it is simply the ugly backside of online crime sticking out of the water for a second as they dive back into murkier depths,” Ferguson concludes.