Stolen credentials found for about two million compromised accounts

Dec 05, 2013 by Nancy Owano report

( —Researchers have discovered a mountain-high trove of stolen credentials. Some two million compromised accounts were found on a Netherlands based server using a botnet controller, with the nickname "Pony." In a blog post on Tuesday coauthored by Trustwave SpiderLabs' security researchers, Daniel Chechik and Anat Fox Davidi, the researchers said that "one of the latest instances we've run into is larger than the last with stolen credentials for approximately two million compromised accounts." At some point, the two said, the source code for Pony was leaked. "With the source code of Pony leaked and in the wild, we continue to see new instances and forks of Pony 1.9."

The goods unearthed included snatched usernames and passwords from mainstream accounts such as Facebook, Twitter, Google, and Yahoo, but the also succeeded to scoop up FTP, remote desktop and secure shell account details. The tally is: 1.6 million website login credentials; 320,000 email account credentials; 41,000 FTP account credentials; 3,000 remote desktop credentials; and 3,000 secure shell account credentials.

The blog noted that "Information discussed in this blog post was also disclosed to relevant parties." The title of the post, "Look What I Found: Moar Pony!" was making numerous headlines by Wednesday. Michael Mimoso of Threatpost, the news service of Kaspersky Lab, in his observations about the discovery, said that "Since the Pony controller was leaked earlier this year, researchers have been finding more of them online used to manage botnets big and small."

In this instance, popular social networks showed high numbers in what was nabbed but some other interesting findings emerged, also. Two social networking websites aimed at Russian-speaking audiences had a notable presence on the list, they reported, "which probably indicates that a decent portion of the victims comprised were Russian speakers." Still, trying to pinpoint a targeted attack on a particular country was not to be: A quick glance at the geo-location statistics would make one think that this attack was a targeted attack on the Netherlands but that did not tell the real story, they said. "Taking a closer look at the IP log files, however, revealed that most of the entries from NL IP range are in fact a single IP address that seems to have functioned as a gateway or reverse proxy between the infected machines and the Command-and-Control server, which resides in the Netherlands as well."

They said attackers commonly deploy the reverse proxy technique in order to prevent the discovery and shutdown of the Command-and-Control server. "This behavior, they said, "does prevent us from learning more about the targeted countries in this attack, if there were any." What they could conclude was that the attack was "fairly global," with some of the victims scattered all over the world.

Another revelation from all this is that, in 2013, and approaching 2014, many computer users have not dropped poor password-making habits that are vulnerable to credential theft. The impulse continues to be making a password that is merely easy to remember. "So what's worse," said Mimoso, "finding two million passwords harvested by a botnet, or learning that most of the stolen passwords are terribly weak?"

The list had passwords such as 123456, 123456789, 1234, and "password." Spider Labs rated six percent of the passwords "terrible," 28 percent "bad," 44 percent "medium," 17 percent "good," and just five percent "excellent."

SpiderLabs is described as "an elite team of ethical hackers, investigators and researchers" at Trustwave.

Explore further: New technology to help users combat mobile malware attacks

More information:… found-moar-pony.html

add to favorites email to friend print save as pdf

Related Stories

Tech Tips: Guide to protecting Internet accounts

Dec 05, 2013

Security experts say passwords for more than 2 million Facebook, Google and other accounts have been compromised and circulated online, just the latest example of breaches involving leading Internet companies.

Hackers sock smartphone earpiece star Jawbone

Feb 13, 2013

Jawbone on Wednesday warned users of its earpieces and Jambox speakers that hackers stole names, email addresses and encrypted passwords from accounts used to make the wireless devices smarter.

Recommended for you

Does your password pass muster?

Mar 25, 2015

"Create a password" is a prompt familiar to anyone who's tried to buy a book from Amazon or register for a Google account. Equally familiar is that red / yellow / green bar that rates the new password's strength. ...

Beijing behind Internet security violation: group

Mar 25, 2015

China's cyberspace administration is "complicit" in attacks on major Internet companies including Google, an anti-censorship group said Wednesday, calling on firms worldwide to strengthen their defences.

House unveils cyber bill and signals bipartisan compromise

Mar 24, 2015

House intelligence committee leaders unveiled a bipartisan cybersecurity bill Tuesday amid signs of broad agreement on long-sought legislation that would allow private companies to share with the government details of how ...

The ongoing war against cybercrime

Mar 24, 2015

Cybercrime is estimated to cost the global economy upwards of US$400 billion a year, and these costs are expected to continue to rise. ...

User comments : 1

Adjust slider to filter visible comments by rank

Display comments: newest first

not rated yet Dec 05, 2013
It doesn't really matter how secure your password is. Don't you know that facebook and google are already scanning your information and making it available to other businesses and government? They've basically already hacked your account and exploited you in ways we're only beginning to understand. Everyone should consider using privacy-based services such as Ravetree, DuckDuckGo, and HushMail.

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.