The claims in the messages are true. Security firm Trustwave recently discovered that around two million passwords for services such as Facebook, Twitter, Gmail, and Yahoo had been stolen via a large botnet. To guard against such attacks, users should change their passwords on a regular basis and ensure that they do not use the same password for more than one service.
Various messages currently circulating via social media posts and the blogosphere warn that around two million passwords for various online services, including Facebook, Twitter, Gmail and Yahoo have been stolen in a recently discovered cyberattack.
The claims in the messages are true. Security firm Trustwave published information about the massive breach in a December 3, 2013 blog post. Trustwave believes that the passwords were harvested via a large botnet known as Pony. The term “botnet” describes a network of computers that can be controlled from afar by criminals. Computers can be added to the botnet when users inadvertently download and install malware.
Trustwave is uncertain how old the stolen data is or how many of the passwords are still current. The BBC notes:
“We don’t know how many of these details still work,” said security researcher Graham Cluley. “But we know that 30-40% of people use the same passwords on different websites.
“That’s certainly something people shouldn’t do.”
Trustwave was also able to use the stolen data to analyse the relative strength of the passwords used. They note:
In our analysis, passwords that use all four character types and are longer than 8 characters are considered “Excellent”, whereas passwords with four or less characters of only one type are considered “Terrible”. Unfortunately, there were more terrible passwords than excellent ones, more bad passwords than good, and the majority, as usual, is somewhere in between in the Medium category.
Trustwave has notified companies with users who may have been affected by the breach. Some of the companies have reportedly notified affected customers and reset passwords as required.
However, if you maintain the commendable habit of changing your passwords on a regular basis, now would be a good time to make the next change. If you don’t change your passwords regularly, NOW would be a good time to start doing so.
And, if you use the same passwords for multiple services, RIGHT NOW, would be a very good time to stop doing so.
And, since you are changing your passwords, make sure that you choose strong ones that are a mixture of uppercase and lowercase letters, numbers and special characters.