Compromised Google, Facebook, Twitter Password is the Least of your Problems

American news media and blog sites have been flooded with warnings from cyber do-gooders for everyone to change their Google, Facebook, Yahoo and Twitter passwords after more than 2 million accounts have been compromised.

But if your system was one that was compromised, changing your password is the least of your worries.

Trustwave Spiderlabs announced on Tuesday that a Russian Pony Botnet server has been identified that had stolen credentials for about 2 million accounts. But this isn’t that big of a deal to Americans as of these, the mass majority were from systems in the Netherlands:

Only a tenth of a percent of systems affected were in America, for a grand total of 1,943 accounts!

And boys and girls, this is a Russian botnet server, which means that if your account is one that has been compromised by the botnet, guess what?

Your machine is most likely still infected with a keylogging, account stealing Trojan!

You may want to scan it for viruses and get that botnet client off your system!

This is not the only Pony Botnet Server out there either. In June SpiderLabs found a smaller one that had 650,000 credentials on it.

And while we are talking passwords, unbelievably, it looks like people are still using simple passwords on their social media accounts.

Here are a list of the top 10 passwords used according to SpiderLabs Analysis:

The number one password used was “123456”…


The top 25 Worst Passwords of 2012

One thing I like to do when a new password list is dumped from a hacker attack is to analyze them for patterns with a program like Pipal. Every year Splashdata takes a look at all of the passwords dumped over the year and provides a list of the worst passwords that exist. These passwords are short, simple or easily guessable.

So without further delay, here are the top 25 passwords NOT to use on your system according to Splashdata:

#              Password                Change from 2011

1               password                Unchanged
2               123456                    Unchanged
3               12345678                 Unchanged
4               abc123                    Up 1
5               qwerty                    Down 1
6               monkey                   Unchanged
7               letmein                   Up 1
8               dragon                    Up 2
9               111111                     Up 3
10             baseball                   Up 1
11             iloveyou                   Up 2
12             trustno1                  Down 3
13             1234567                   Down 6
14             sunshine                  Up 1
15             master                     Down 1
16             123123                     Up 4
17             welcome                  New
18             shadow                    Up 1
19             ashley                      Down 3
20             football                   Up 5
21             jesus                       New
22             michael                   Up 2
23             ninja                       New
24             mustang                  New
25             password1               New

New this year is the password compared to its position from last year. As you can see people are still using many of the same, easy to guess passwords year after year.

We have shown several password dumps analyzed with Pipal over the last few years and be it a small password dump of 20,000 or a large one of over 400,000, the top ten passwords are usually the same.

I can see why “password, 124567, and abc123” are always at the top of the list, but what in the world is people’s fascination with the password “Monkey”? It has always shown up in the top ten list of passwords used in every test that we have run.

Needless to say if you use any of these 25 passwords, change them now. Long complex passwords using upper and lower case letters, numbers and special characters are always the best way to go. As complex passwords reach 10 or greater characters the time it takes to crack them increases immensely.

On Windows based systems it is recommended to use 15 or more characters for your passwords. As on some older systems, 14 characters or less can be cracked in a very short amount of time (as few as 5 seconds!) if the password hashes can be obtained and if the system allows weak LM hashes.

Yahoo Password Dump Analyzed

Wow, not one, but two password dumps in one day. Hackers leaked a very large number of Billabong and Yahoo passwords in plain text with no need to try to crack them. We looked at the Billabong one earlier today using the password analysis tool Pipal, now let’s take a look at the Yahoo dump.

This one is huge, almost 450,000 users. Though from numerous reports most of these accounts leaked were not active, the latest reports are saying that many of the included cracked accounts were passwords to other sites. According to ABC News:

Some of the Yahoo Voices’ accounts listed email addresses with AOL, Gmail, Hotmail and Windows Live. Security firm Sucuri said that more than 100,000 Gmail addresses were included in the breach.”

And take into account that many people never change their passwords or use the same password at multiple sites and this is very concerning. Well, let’s go ahead and take a look at the dump as analyzed with Pipal.

Here are the top 7 Password Lengths:

The Complexity of the Passwords:

And Character Sets Used:

And as always, for some odd reason the password “monkey” always seems to show up in the top 10 lists. But this time it did not make it as a top 10 password:

It seems to have been supplanted by the password “0”. Two hundred and two people actually used “0” as a password!

Okay for the record, “monkey” was not a complete no-show. It was one of the top 10 base words!

It beat out Jesus, love, money and ninja!

All joking aside, what is bothersome is that some of the passwords leaked are pretty good passwords.

Check these out:

  • $coreS1BgM0rsl4me
  • $r87*CQG>36rkM

These would have taken a long time to crack if they had to be cracked manually. But here is the kicker, as the database that held the passwords was compromised via SQL injection, the hackers were able to grab the contents of the entire database. It doesn’t matter that some of the users had 17 character+ complex passwords. There was a web application security issue that led to the entire account database being dumped.

This really should drive home the fact of using good security measures at the network and especially the application server levels.

Billabong Password Dump Analysis

Over 20,000 passwords, supposedly leaked from Billabong have been floating around. And as usual, I like to grab the passwords and analyze them for patterns. So I took 21,435 of them and ran them through the password analysis program Pipal.

Here are the top 7 Password Lengths:

The Complexity of the Passwords:

And Character Sets Used:

And finally, and most importantly, the question that we always ask and the one that everybody wants to know.

Was “Monkey” one of the top passwords?

The answer is….


Pfhew, had us worried there. It slipped down to #10 – but as usual in password dumps – along with the company name, “password”, and “12345” – our favorite password “monkey” is there!