Security Advisories

Trustwave Press Releases

« SpiderLabs Responder Updates | Main | Hacking a Reporter: Sleepless Nights Outside a Brooklyn Brownstone (Part 3 of 3) »

03 December 2013


The pony2 botnet doesn't steal this kind of info. Sorry. It steals ftp accounts.

THIS HOAX, FAKE and I'm sure that you're also publisher of FAKE "LinkedIn Leak – 6.5 Million Passwords".

Why its fake:
1. no username or hash only bullshit chart
2. no Antivirus/Antimalware/AntiLogger news about your bot/RAT
3. if its true then you're FBI target because spying but now you're still safe

"Two Million stolen Facebook, Twitter login credentials found" is FAKE, HOAX

Interested: How many total passwords, exactly... and how many are unique (not duplicated)? and/or pair the user/pass uniqueness

also, can the passwords themselves be posted/searched? obviously strip any username association
I'd like to check some strings myself

There's a bias in your password analysis. The passwords collected are not representative of all users. They are representative of Windows users, particularly those using older operating systems and those using either out of date or no virus protection, malware protection or firewall. It also over-represents those who will click on any link without thought.

What you have discovered is that people who aren't concerned with security tend to use weak passwords.

At this time Trustwave has not released nor will it release a complete set of the discovered data. Stay tuned for a post later today that will discuss what we will release and to whom. Claims that any related information has been posted on a dump site is false.

Hey guys-- any luck on a plan to present this to the public yet? Word is this has appeared on dump sites... Can you get ahead of this and provide a way for people like me to see if any addresses from my company's domain appear in the dump?

Hopefully more people are paying attention and learning valuable lessons by this!

i am no able to logging in my facebook account.......i think my account is also hacked........i have tried to log in my ac and also reseted my password........when i press enter after filling id and password blank page appears.......please help me....i am in big trouble.............

excellent record...

Two million user passwords from Google, Yahoo, Facebook, Twitter,and other sites were stolen. reason are easy passwords, same passwords on multiple accounts, Using phone numbers as a password are easily to guess. But Now there are also number of Tips to protect your account and online data theft

Does anybody know if Brazil is included in the list of accounts stolen and where can I verify this information?


Rio de Janeiro, Brazil

Not a native English speaker, but I can't remember having read that the original list of account names and passwords was removed. Was it? And, what is the original URL where they were/are shown?
People should have the possibility to check if their account was cracked. How can it be made in such a way that checking that be indeed possible?
Does any "good fellow" (= not a malevolent hacker) have that list? Could they make the user names public at least? That would help a lot.

Not using Windows is a good advise, not only regarding this specific problem, but in general. Unfortunately, I still use W. for some applications, not to mention the printers, for most purposes I use OSs based on the Linux kernel, but I occasionally log into Gmail or other providers from within Gates' system, which makes me vulnerable. I support dropping Windows.

How about copying the database and make a tool so people could check if their accounts are compromised?

Ok what I would like to know...what kind of affect does it have when you have 2-Step Authorization turned on to login? Does that only slow them down?


Yes. They have programs that will try these combinations on other web sites. So, say your login to Facebook and LL Bean were both:

Password: SomePassword1

They would collect the username/password for Facebook, then at some future time through a program or perhaps even manually they would go to other web sites like LL Bean and see if the same combination worked. If as noted they were the same, they now can order stuff through LL Bean. Depending on if you have a permanent credit card saved and LL Bean isn't smart enough to not send you an email on change of delivery address, you could find yourself buying a Christmas present from LL Bean for a hacker.

Of course if you order something from LL Bean after your system is infected with a keylogger or the like, it won't matter. They'll have your LL Bean password anyway.

Clearly all of you in the know are concerned, but I fail to get it. So they stole my facebook password, which happens to be my password for so many other things. How do they know all those other things? They're going to randomly go to in the hopes that they can enter a comment under my name cause they have my password. Their going to go to LLBean and order a sweater because they have my password?

OK, let's kill the debate about entropy in English. Add a word in another language, and it's still easy to remember, but since there are many languages, I believe we have added not only quite a lot of entropy, but also a lot of decoding complexity. Or add ONE word with a number substitution: now the brute force dictionary approach will no longer work. Surely everything is better than a password you cannot remember and hence will write down everywhere?

just to make thinks clear, a "dictionary" attack is a type of brute forcing, its just a subset of full brute forcing. and, any weakness on the back side, like DES crypt or weak hashing, will eventually reveal the cleartext at some point. i've been in security for 18+ years now, people must use 3 of 4 char sets (caps,lower,#,special) with length 6-8min, AND, did i say AND, change password every 60-90 days for sensitive accounts. many times these lists are built over long period of time and not exposed publicly right away.

While we OF COURSE hope that people use strong passwords, the whole discussion really doesn't matter in this case. Malware stole these passwords. If your password was -


the malware would STILL have stolen your password. And if you used that same password in other websites or apps, it would still be able to get in there as well.

PS: I agree with CleverBoy - providing an interface to check if yours is one of the compromised accounts would be very helpful. Not only would it let you know you need to change your password, but it would also clue you in that you have a system with malware.

"had a password of 10 characters or longer"

Yes, while it is a good point that a longer password (or passphrase) is better than a shorter convoluted one, it's a bit of apples to oranges here. If I am to follow the exploit correctly, these password were captured through key loggers or mining the browser saved passwords. In that case, complexity et al doesn't matter - they have access to the cleartext outright.

Complexity only helps where the server hash is compromised. In that case it's not completely unlikely that the server password UI itself will be compromised, once again potentially giving access to the cleartext. Regardless, looking to "layered security", you're better off with a longer password as indicated.

One problem that still remains is not all hashes can actually equally represent the bits in the original password (for instance Unix DES crypt). Thus a week hashing algorithm can break the benefits of a longer password.

Of course a worse scenario is that some sites don't hash at all, or use reversible encryption. Since most people do not use one password per site, once one of these badly behaved sites is compromised, the account is effectively compromised everywhere.

Finally, there is one mitigating factor - so many accounts have been compromised at this point it would take a bit of bad luck that yours would be the one used maliciously. Sort of like losing the lottery in reverse.

Still, it's not something I would bet against.

What this article really reveals is that strong passwords are useless if you are using Windows. You will be infected by a password-stealing trojan (they all are designed for Windows), it's just a matter of time. Note that FTP-passwords also are stolen, so the felons contaminate legitimate websites too. Cautiousness ("don't click suspicious links") is not enough. Antiviruses and antimalware are not enough because the felons continually test their drive-by download kits and trojans against all antiviruses and update their malware to evade or disable all antiviruses.

Unfortunately, the advice to use any free operating system instead of Windows on the same computer usually falls on deaf ears.


You cannot call yourselves "Ethical" If you try to get back at Gmail, Facebook, Twitter etc by releasing INNOCENT PEOPLES login details that are linked to their banks, salary's and personal details.


Don't kid people into thinking you're ethical. You're thieves and should be treated as such.

What really scuppers the XKCD-type of password is the enforced password selection rules most services require, I've tried it before and come unstuck in the following sort of scenario:

1.enter "correcthorsebatterystaple" (just for example). website says: "too long - make it shorter"
2. fine, abbreviate to "corrhorbatstap". website says: "need all of the following:uppercase,lowercase,numbers,special characters"
3. ok, change to"Corrhorb@tstap9836". website says: "not allowed THAT special character, choose a different one"
4. Go to rival website with less irritating policies and buy stuff off them instead!

DO NOT use a password like the comic suggests.

Brute forcing is a thing of the past for online passwords.

All that's happened here is they discovered a treasure trove of piss easy default level passwords on some European botnet.

1000 guesses a second is retarded, that's simply not going to happen online.

What people do use is dictionary attacks, if you use a wordlist with the words correct, horse, battery, stable. You can create a program to try all those words in different orders.

Nobody in their right mind is bruteforcing character by character these days.

Decrypting stolen passwords is possible but by no means an easy task, and using common words can actually make encryption weaker due to semantic analsis by more advanced (lets face it, professional institute level) password crackers, ie common words producing recognizable hashes.

Be careful. Common words don't have a lot of entropy. If your password is window-horse, it's not any better than wi-ho. Especially in English.

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Your comment could not be posted. Error type:
Your comment has been posted. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.


Post a comment

Your Information

(Name is required. Email address will not be displayed with the comment.)