• Trials & Downloads
  • Personal / Home Office products
  • Business Products
  • Malware Cleaner
  • Installers
• • Corporate
  • Norge
  • France
  • Deutschland
  • Sverige
  • Danmark
  • Suomi
  • Nederland
  • Schweiz
  • España
  • United States
  • United Kingdom
  • Italia
• About Norman
  • Vision & Values
  • Management Team
  • Our Technology
  • Awards & Certifications
  • Customer Cases
  • Press & Media Center
  • Events
  • Careers
  • Subscribe to newsletter
  • Contact Us

Security Center

Lots of free email accounts compromised

2009-10-15 [Malware discussion, Privacy issues, Social engineering]

Introduction

Earlier this month multiple tens of thousand passwords to free email accounts from Microsoft (Hotmail), Google (GMail) and Yahoo were compromised. In a blog posting Microsoft claims that credentials belonging to several thousand Hotmail accounts were available from a third party web site.

How is this possible?

In the Microsoft blog posting, it is stated that this was not due to a security breach in Microsoft's systems. We have no reason to doubt this. A security breach seems even less likely since email accounts from Google and Yahoo were affected as well.

A phishing scheme as suggested by both Microsoft and Google seems to be a trustworthy explanation.

We do not have any particular information about the particular phishing technique used. Phishing, however, is discussed in several different security articles over the year. You will find our most extensive information about this in two of Norman's little green books, available from below.

Password statistics

One security researcher was able to get more than 10 000 stolen Hotmail passwords from the web site where they were published, before that site became unavailable due to "maintenance".

The researcher analyzed the passwords and here are some of the more "interesting" findings:

• One of the password's used had only one character
• The most used password by far is 123456
• The password in the fourth place among the most popular is 111111
• Among the top 20 passwords, not one used special characters (not alphanumeric like * % - $ and similar)
• Only 6% used passwords that are a mix between alphabet, numbers and special characters
• The longest password was 30 characters (alphabet only)

It should be mentioned that these results may not be quite as scary as they seem at first glance. It seems safe to assume that there is a high correlation between those who are tricked by a phishing scheme and those who use weak passwords. Nevertheless, these password statistics really give food for thought for the security savvy.

More details about the passwords are available in Bogdan Calin's blog posting on acunetix' web site.

Resources about phishing on Norman's web site

Usage	Title	Comment
Book	The little green book of phishing
Book	The little green book on identity theft

• Privacy policy
• License agreement
• Trademarks
• Sitemap
• Contact Us

© Norman ASA