Wednesday, December 04, 2013

Trustwave reports massive password heist affecting at least 2 million users worldwide, and many popular sites

CNN Money is reporting a massive password heist of over 2 million user-pw combos from a large number of visible sites, including Facebook (the most affected), Twitter, LinkedIn, Google, Yahoo!, and payroll processor ADP.  Facebook and Twitter, at least, notified affected users (as far as they knew) to change the pw’s. The breach was discovered by Trustwave and seems to have originated from some servers overseas with a particular Trojan, with the botnets managed from servers in the Netherlands (as apparently identified by law enforcement now) and probably Russia and various other countries.  It’s not clear that much (or even any) harm has really occurred, but it’s clear that payrolls could be compromised, or illegal content could be distributed in a hacked user’s name.
Webroot has a discussion of the issue here
CNN has a full story here and reports that Trustwave discovered the hack on Sunday Nov. 24, 2013. 
Trustwave published its findings on December 3 and they are quite detailed, with analysis according to password strength, here.
On a few occasions, when I’m on Blogger, Google has said that an account is logged on elsewhere.
The message quickly disappears.  I have changed passwords in response, and I have two-step logon.  That does not affect this problem.  It appears that it may be related to Windows 8 caching and not actually be a security problem.  It has happened when the server connection was weaker and sometimes generating other errors, which go away in time when connectivity improves.
I think that other services should provide two-step logon, but I do wonder how this affects cell phone security.  What happens if your cell phone is stolen in a street or subway robbery?

No comments: