{"id":15003,"date":"2014-09-10T17:08:13","date_gmt":"2014-09-10T17:08:13","guid":{"rendered":"http:\/\/kasperskydaily.com\/b2b\/?p=2547"},"modified":"2020-02-26T10:55:34","modified_gmt":"2020-02-26T15:55:34","slug":"a-large-number-of-mail-password-leaks-what-gives","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/a-large-number-of-mail-password-leaks-what-gives\/15003\/","title":{"rendered":"A large number of mail password leaks: what gives?"},"content":{"rendered":"

A series of leaks were reported by Russian media, affecting local services Mail.ru and Yandex, as well as Gmail: a reported leak from Gmail.com<\/a> accounts for almost 5 million logins and passwords. It had been preceded with similarly massive leaks from two leading Russian free email providers \u2013 Mail.ru (over 4 million) and Yandex.ru (~1 million passwords). While not disastrous by today\u2019s \u201cstandards\u201d, it is a wake-up call for those relying on passwords alone, without any \u201cplan B\u201d for occurrences such as this one.<\/p>\n

\n<\/p>

\u00a0<\/p>\n

Both Yandex and Mail.ru responded quickly, reporting that the majority of the compromised accounts are either \u201cdead\u201d or bot-created. Also, both companies insist this leak isn\u2019t a result of a single, targeted \u201cgathering\u201d operation, but rather a consequence of long-lasting malware activity on the victims\u2019 PCs. <\/p>

A large number of mail password leaks: what gives?<\/p>Tweet<\/a><\/blockquote>\n

\u201cWe have been aware of 85% of the compromised accounts for a long time, thanks to analysis of their behavior or some other ways,\u201d Yandex representatives said. \u201cWe have warned their owners and attempted to make them change passwords, but they haven\u2019t done it. That means that these accounts are either abandoned or created by robots.\u201d<\/p>\n

Similar statements were made Mail.ru, stating that the leaked passwords is the consequence of the malware activity and the victims visiting malicious sites. The company also said that 95% of the leaked accounts have been blocked ahead of the leak.<\/p>\n

Then there was Google\u2019s turn. Actually, the company reacted publicly ahead<\/em> of the actual publication of the leaked passwords: A day before those passwords surfaced, the company warned some of its e-mail service users about an attack by the \u201cgovernment-backed hackers\u201d (It did not mention which government of which country is presumably behind this attack). Gmail has issued this kind of warnings since 2012.<\/p>\n

\"wide-3\"<\/a><\/p>\n

The next day, the passwords leaked and now lots of people are taking their time checking whether they are among the affected. It is much more appropriate just to change your password ASAP.<\/p>\n

It doesn\u2019t seem like there is a disaster in the works: nothing like #heartbleed, for instance. But the collateral damage may be a bit larger than the direct one. The question is, whether the same passwords could be used elsewhere?<\/p>\n

An average Web user has to memorize up to several dozens of passwords, so it\u2019s quite tempting to use similar, or even the very same, combinations.<\/p>\n

And that\u2019s a Big Mistake: Crooks count on that. It\u2019s quite certain that script-kiddies are currently sifting through those \u201cmostly inactive\u201d passwords looking to use them at different resources.<\/p>\n

Although if they are really \u201charvested\u201d with malware, criminals already know everything \u2013 both resources and passwords.<\/p>\n

Passwords themselves are not an ideal protection. Even when they are a solid combination, and not something of 1234qwerty sort. Criminals have a fair amount of various \u201cpicklocks\u201d, so the passwords will be cracked if necessary. Especially if the same ones are used for years.<\/p>\n

But hackers will steam themselves out dealing with two-factor authentication, electronic tokens and other means of passwords reinforcement. Yeah, sure, there are Zitmo and Spitmo (By the way, what a name for a comic about two hapless clowns), stealing mTANs straight from your phone. But your phone is already equipped with everything necessary<\/a>, isn\u2019t it? :-)<\/p>\n

Passwords should be approached \u201creligiously\u201d: there are \u201csins\u201d and \u201cvirtues\u201d<\/p>Tweet<\/a><\/blockquote>\n

All in all, passwords should be approached \u201creligiously\u201d, especially in the business sphere. Appropriately, are certain \u201cdeadly sins\u201d and \u201cvirtues\u201d of the business infosec.<\/p>\n

Sins:<\/p>\n