If you are concerned your information has been released in one of the recent LulzSec data dumps, Gizmodo.com has a leak checker available. Go check there.
A boatload of ill-gotten e-mail addresses and passwords found itself dropped off at a public port by LulzSec when they released a 62,000 line file. Some of the e-mail addresses and passwords have been connected to the website Writerspace.com to the tune of about 12,000.
“We are in the process of contacting all members impacted by the attack,” wrote the administrators of Writerspace.com about the exposure, “and we sincerely regret the inconvenience this may cause any of our site members. We want to assure our readers that we take our responsibility for protecting your personal information very seriously.”
Shortly after the release of the many e-mails and passwords, LulzSec asked their fans and followers on Twitter to use the authentication information from the file to attempt to hack into common e-mail services and other websites. As a result, some portion of @LulzSec’s 177k followers started to break into Facebook accounts, Amazon.com, and even at least one PayPal account using the pilfered information.
“@LulzSec Got an Xbox Live, Paypal, Facebook, Twitter, YouTube THE WHOLE LOT! J-J-J-J-J-J-JACKPOT,” @TheDancingMilk tweeted about their successes with the passwords. Lrmation.
owers started to break into Facebook accounts, Amazon.com, and even at least one PayPal account using the pilfered in
Another found a Netflix account, cleaned out the DVD queue, and replaced it with the movie Hackers.
The online malicious prankster group, LulzSec, has been making headlines lately by targeting numerous soft targets with automated security-test software in order to find intrusion points and steal data—insofar they have managed to strike Sony, hack Nintendo, the U.S. Senate and software publisher Bethesda, and even a pornography industry website. This week they changed gears from hacking and intrusion and started using distributed denial of service attacks to down websites, including one run by the United States Central Intelligence Agency leading to the IT security industry outfit, Sophos, to dismiss LulzSec as debutantes and cybervandals without any class.
In order to secure themselves, users are encouraged not to use the same password across many websites. In fact, it’s best to avoid the same authentication information between any high visibility or similar websites (especially never use the same password for e-mail and a login.) With Internet highwaymen like LulzSec Robin Hooding their way through the minimal security at both corporate websites and little-known holes-in-the-wall, it’s more important than ever to be on your toes about your personal security on the net.
The release of 62k logins has opened up a lot of curiosity about what people use for passwords. As a result, some enterprising individuals have mined the data. Above is an image of a tag-cloud of the most commonly used passwords occurring in the data—a numerical “123456” used over 558 times—with “123456789” a close second at 181 times.
In fact, this sort of study is what led many to guess that much of the data set belonged to a community of writers, judging by many of the passwords involving romance, books, and mystery. As we know now, Writerspace.com only represents 12,000 of the 62k passwords (meaning only about 20%) and we still don’t know the source of the rest of the logins.
“The passwords that LulzSec gave us weren’t quite as bad we’d expected, but they weren’t secure either,” writes Rafe Kettler, the source of the above data mining analysis. “Clearly, the source of these passwords did not enforce password security as much as they needed to, judging by the number of passwords that were all lowercase or all digits and exceedingly short. Web developers: force your users to use long and complex passwords. It’s good for them. Users: use better passwords.”
Stay safe out there. Avoid using the same passwords across multiple sites, mix it up with tougher passwords, and change them regularly on sensitive sites.