Millions of email accounts, passwords stolen by hackers

The passwords and other details of 16 million email users in Germany have been stolen, the country’s security agency has revealed.

Millions of email accounts, passwords stolen by hackers

Millions of email accounts, passwords stolen by hackers

Researchers and prosecutors stumbled upon the hacked accounts while conducting research on a botnet, a network of computers infected with malware.

Germany’s Federal Office for Information Security (BSI) has created a website to help people find out whether or not their e-mail was among those hacked. The site temporarily crashed on Tuesday due to heavy traffic. Users who submit their email address to the website will be sent an message if their account has been compromised.

“If that happens, then your computer is most likely infected with malware,” Tim Griese, with the Federal Office for Information Security, told the news agency DPA.

Authorities have not released information on who stole the e-mail accounts.

About these ads

2 million stolen passwords for Facebook, Twitter, Google, Yahoo and others leaked online

Security experts have uncovered a trove of some 2 million stolen passwords to websites including Facebook, Google, Twitter and Yahoo from internet users across the globe.
passsResearchers with Trustwave’s SpiderLabs said they discovered the credentials while investigating a server in the Netherlands that cybercriminals use to control a massive network of compromised computers known as the “Pony botnet.”

The company said that it has reported its findings to the largest of more than 90,000 websites and internet service providers whose customers’ credentials it had found on the server.

The data includes more than 3,26,000 Facebook accounts, some 60,000 Google accounts, more than 59,000 Yahoo accounts and nearly 22,000 Twitter accounts, according to SpiderLabs. Victims’ were from the United States, Germany, Singapore and Thailand, among other countries.

Representatives for Facebook and Twitter said the companies have reset the passwords of affected users. A Google spokeswoman declined comment. Yahoo representatives could not be reached.

SpiderLabs said it has contacted authorities in the Netherlands and asked them to take down the Pony botnet server.

An analysis posted on the SpiderLabs blog showed that the most-common password in the set was “123456,” which was used in nearly 16,000 accounts. Other commonly used credentials included “password,” “admin,” “123″ and “1.”

Graham Cluley, an independent security expert, said it is extremely common for people to use such simple passwords and also re-use them on multiple accounts, even though they are extremely easy to crack.

“People are using very dumb passwords. They are totally useless,” he said.

Security flaw in 3G could allow anyone to track your smartphone

New privacy threats have been uncovered by security researchers that could allow every device operating on 3G networks to be tracked, according to research from the University of Birmingham with collaboration from the Technical University of Berlin.

Researchers said that standard off-the-shelf equipment, such as femtocells, could be used to exploit the flaw, allowing the physical location of devices to be revealed.

The 3G standard was designed to protect a user’s identity when on a given network. A device’s permanent identity, known as International Mobile Subscriber Identity (IMSI) is protected on a network by being assigned a temporary identity called a Temporary Mobile Subscriber Identity TMSI.

The TMSI is updated regularly while the 3G networks are supposed to make it impossible for someone to track a device even if they are eavesdropping on the radio link.

Researchers have discovered that these methods can easily be sidestepped by spoofing an IMSI paging request. Such a request is used by networks to locate a device so it can provide service.

Security flaw in 3G could allow anyone to track your smartphone

Security flaw in 3G could allow anyone to track your smartphone

Another vulnerability, the researchers said, lay in the Authentication and Key Agreement (AKA) protocol, which is used to provide authentication between a device and a network by providing secure shared session keys.

This “secret long-term key” (K IMSI) can be identified by sniffing the AKA request and then relaying that to all devices within a certain area. Every device except the target would return an authentication failure, thereby identifying the individual. Again, this could then be used to track location.

The research team took pains to emulate a real-world scenario under the environment, and they tested the attacks techniques against network providers including T-Mobile, Vodafone and O2 in Germany, and French outfit SFR.