24 May 2018
Robert Siciliano

Identity Theft Expert

Robert Siciliano - IDTheftSecurity.com

749Posts 2,158,727Views 62Comments

Email Addresses hacked via a Botnet or phished?

16 October 2009  |  3458 views  |  4

Recently Microsoft, Yahoo, Google, Comcast and Earthlink announced thousands of email addresses and their passwords were phished by identity thieves and posted in an online forum. One report suggests the emails phished could be up to a million victims.

Researchers parsed the hacked passwords and broke them down into categories based on their level of security. For example some of the passwords were very weak “111111”  “123456” “1234567” “12345678” “123456789” made the top list. Many of the stolen passwords were people’s first names which of course could be kids, spouse etc. Obviously anyone who uses an insecure password like this is more likely to get hacked due to their laziness and less than sophisticated approach to security. 60% of the passwords contained either all numbers or all lowercase letters.

Always use a combination of upper case and lower case, numbers and characters that don’t actually spell anything. Use the first letters of phrases and plug a number in there with a character “Monday is the 1st day of the week!” is Mit1dotw! Research in the data breach showed 6% of the passwords reflected this strong style.

There is however buzz in the IT security world that the data may have been leaked via a botnet. A botnet is a robot network of computers connected to the internet that all share a common technology, a virus/spyware that allows a criminal hacker to remotely access and control the machine. A botnet can be 10 PCs, 10,000 PC or many more. The infamous “conficker” is a botnet. Once a PC is infected the criminal hackers can use the botnet to commit crimes, store data and of course siphon data from the machines.

However while many of the passwords were weak, there were many passwords that were very strong.  The argument is that based on the strength of many of the passwords it is unlikely that they were phished, and more likely hacked.

Regardless of the method of attack there are many things a computer user can do to prevent phishing and being part of a botnet.

  1. When you receive any email from any “trusted source” asking you to login for ANY reason do not click links in the body of the email. Instead manually type the address or go to your favorites.
  2. Use the most recent version of a web browser that has a built in phish filter. Phish filters warn you against clicking links on unauthorized websites.
  3. Invest in anti-virus protection and make sure you have it set to automatically update your virus definitions. There are potentially thousands of new viruses every day. Going a week without anti-virus can make you vulnerable to attack.
  4. Invest in Identity Protection and Prevention. Because when all else fails, its great knowing someone is watching your back.
TagsSecurityRisk & regulation

Comments: (5)

Michael Wright
Michael Wright - Striata | Secure Document Delivery - London | 19 October, 2009, 11:15


What leads you to the conclusion that the strong passwords were hacked rather than phished ?

My understanding is that the stronger the password, the harder it is to hack (i.e. guess) and therefore the more likely it is to have been phished (social engineering) or recorded by a key logging trojan or virus.

One of the fundamental issues that should be mentioned here is that people often use the same password on many different sites.

You should always make sure that you use different passwords for your banking sites and your email sites - having one password for low risk sites is not a good idea but probably expedient.



(P.S. Banks should be standardising on anti-phishing measures in their email)

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Andrew Churchill
Andrew Churchill - Technology Strategy - London | 19 October, 2009, 23:31


I hadn't noticed this blog until you'd flagged it, so thanks for pointing out some of the glaring errors.

Title - hacked via a botnet or phished

Para 1 - they're phished -good old social engineering!

Para 2, line 1 - they're hacked, but some were very weak!

Para 2, line 3 - now they're stolen (so not UK victims, as you can't steal information, merely exploit it for other unlawful purposes)

Para 2, line 5 - back to hacking, and only insecure passwords can be hacked, clearly

Para 3 - strong passwords are on the compromised list.

So, actually back to para 2 because, in itself (over and above the truism that those who are using stronger passwords are likely to be security aware and hence have anti-virus, et al, and not fall for Dear Mister emails) anyone using an insecure password is no more likely to be a victim of hacking or phishing.

If you've an insecure machine and you're gullible then the security of your password makes not the slightest difference (besides the chances of a friend or colleague logging in as you).

Final paras are valid, but hardly news, so I'm afraid to say the only 'laziness and less than sophisticated approach to security' rests with the author.


Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Robert Siciliano
Robert Siciliano - IDTheftSecurity.com - Boston | 20 October, 2009, 00:50

Thanks for dragging me under the bus gents. Bet your mum is proud of you. I was pointing out how some researchers had come to the conclusion. I reported on it. So eat it.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Matt White
Matt White - Finextra - Toronto | 20 October, 2009, 09:17

Play nice please fellas.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Heinrich Mautner Markhof
Heinrich Mautner Markhof - WebLookOn Inc. - Austria | 27 October, 2009, 11:27

Hi Mike,

congrats that you made it to say write/report something that shown that PASSWORDS are a big part causing all this internet fraud. Just imagine we wouldnt use them any more. Meaning to use something that one has to remember and when beeing authenticated to type in his PC.... just look at the solution that shows a real altenative solution which provides strong authentication without costs...www.weblookon.com

Hi Andrew,

Dont be soo bad to Mike. This blog is very usefull for all who are concerned to security. Of course there are very few of them with a proved knowledge on all these topics like you. And I mean it. By the way, you still have´nt found out (cracked) the WebLookOn key-secret according to your WebLookOn Key-ID : a.churchill ......

all best



Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Comment on this story (membership required)

Latest posts from Robert

Are Your Employees Putting Your Company at Risk? Here’s How to Find Out!

18 May 2018  |  4530 views  |  0 comments | recomends Recommends 0 TagsSecurity

10 Internet Security Myths that Small Businesses Should Be Aware Of

11 May 2018  |  1227 views  |  0 comments | recomends Recommends 0 TagsSecurity

Mobile Phone Numbers Are as Sensitive as Your Social Security Number

19 April 2018  |  3483 views  |  0 comments | recomends Recommends 0 TagsSecurity

The Term Identity Theft Protection is Often a Lie

06 April 2018  |  7528 views  |  0 comments | recomends Recommends 0 TagsSecurity

Use a Password Manager Or You WILL Get Hacked

19 March 2018  |  3922 views  |  0 comments | recomends Recommends 0 TagsSecurity

Robert's profile

job title Security Analyst
location Boston
member since 2010
Summary profile See full profile »
Security analyst, published author, television news correspondent. Deliver presentations throughout the United States, Canada and internationally on identity theft protection and personal security....

Robert's expertise

Member since 2009
739 posts62 comments

Who's commenting on Robert's posts