Stolen credentials found for about two million compromised accounts

Dec 05, 2013 by Nancy Owano report

( —Researchers have discovered a mountain-high trove of stolen credentials. Some two million compromised accounts were found on a Netherlands based server using a botnet controller, with the nickname "Pony." In a blog post on Tuesday coauthored by Trustwave SpiderLabs' security researchers, Daniel Chechik and Anat Fox Davidi, the researchers said that "one of the latest instances we've run into is larger than the last with stolen credentials for approximately two million compromised accounts." At some point, the two said, the source code for Pony was leaked. "With the source code of Pony leaked and in the wild, we continue to see new instances and forks of Pony 1.9."

The goods unearthed included snatched usernames and passwords from mainstream accounts such as Facebook, Twitter, Google, and Yahoo, but the also succeeded to scoop up FTP, remote desktop and secure shell account details. The tally is: 1.6 million website login credentials; 320,000 email account credentials; 41,000 FTP account credentials; 3,000 remote desktop credentials; and 3,000 secure shell account credentials.

The blog noted that "Information discussed in this blog post was also disclosed to relevant parties." The title of the post, "Look What I Found: Moar Pony!" was making numerous headlines by Wednesday. Michael Mimoso of Threatpost, the news service of Kaspersky Lab, in his observations about the discovery, said that "Since the Pony controller was leaked earlier this year, researchers have been finding more of them online used to manage botnets big and small."

In this instance, popular social networks showed high numbers in what was nabbed but some other interesting findings emerged, also. Two social networking websites aimed at Russian-speaking audiences had a notable presence on the list, they reported, "which probably indicates that a decent portion of the victims comprised were Russian speakers." Still, trying to pinpoint a targeted attack on a particular country was not to be: A quick glance at the geo-location statistics would make one think that this attack was a targeted attack on the Netherlands but that did not tell the real story, they said. "Taking a closer look at the IP log files, however, revealed that most of the entries from NL IP range are in fact a single IP address that seems to have functioned as a gateway or reverse proxy between the infected machines and the Command-and-Control server, which resides in the Netherlands as well."

They said attackers commonly deploy the reverse proxy technique in order to prevent the discovery and shutdown of the Command-and-Control server. "This behavior, they said, "does prevent us from learning more about the targeted countries in this attack, if there were any." What they could conclude was that the attack was "fairly global," with some of the victims scattered all over the world.

Another revelation from all this is that, in 2013, and approaching 2014, many computer users have not dropped poor password-making habits that are vulnerable to credential theft. The impulse continues to be making a password that is merely easy to remember. "So what's worse," said Mimoso, "finding two million passwords harvested by a botnet, or learning that most of the stolen passwords are terribly weak?"

The list had passwords such as 123456, 123456789, 1234, and "password." Spider Labs rated six percent of the passwords "terrible," 28 percent "bad," 44 percent "medium," 17 percent "good," and just five percent "excellent."

SpiderLabs is described as "an elite team of ethical hackers, investigators and researchers" at Trustwave.

Explore further: Madonna speaks of 'crazy times' after songs leaked

More information:… found-moar-pony.html

Related Stories

Tech Tips: Guide to protecting Internet accounts

Dec 05, 2013

Security experts say passwords for more than 2 million Facebook, Google and other accounts have been compromised and circulated online, just the latest example of breaches involving leading Internet companies.

Hackers sock smartphone earpiece star Jawbone

Feb 13, 2013

Jawbone on Wednesday warned users of its earpieces and Jambox speakers that hackers stole names, email addresses and encrypted passwords from accounts used to make the wireless devices smarter.

Recommended for you

Throwing money at data breach may make it worse

1 hour ago

Information systems researchers at the University of Arkansas, who studied the effect of two compensation strategies used by Target in reaction to a large-scale data breach that affected more than 70 million customers, have ...

China condemns 'cyber terrorism' in wake of Sony attack

5 hours ago

China's foreign minister condemned all forms of "cyber terrorism" in talks with his American counterpart, a statement said Monday, as the US accused Beijing's ally North Korea with being behind a cyber attack on Sony Pictures.

BlackBerry rides with Boeing on self-destruct phone

5 hours ago

The news from Reuters on Friday came as no shock to those who know Blackberry's strong rep for security (John Chen, the company's CEO, is not shy about promoting the company's branding message of safety. ...

User comments : 1

Adjust slider to filter visible comments by rank

Display comments: newest first

not rated yet Dec 05, 2013
It doesn't really matter how secure your password is. Don't you know that facebook and google are already scanning your information and making it available to other businesses and government? They've basically already hacked your account and exploited you in ways we're only beginning to understand. Everyone should consider using privacy-based services such as Ravetree, DuckDuckGo, and HushMail.

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.