Blog article
See all stories »

Email Addresses hacked via a Botnet or phished?

Recently Microsoft, Yahoo, Google, Comcast and Earthlink announced thousands of email addresses and their passwords were phished by identity thieves and posted in an online forum. One report suggests the emails phished could be up to a million victims.

Researchers parsed the hacked passwords and broke them down into categories based on their level of security. For example some of the passwords were very weak “111111”  “123456” “1234567” “12345678” “123456789” made the top list. Many of the stolen passwords were people’s first names which of course could be kids, spouse etc. Obviously anyone who uses an insecure password like this is more likely to get hacked due to their laziness and less than sophisticated approach to security. 60% of the passwords contained either all numbers or all lowercase letters.

Always use a combination of upper case and lower case, numbers and characters that don’t actually spell anything. Use the first letters of phrases and plug a number in there with a character “Monday is the 1st day of the week!” is Mit1dotw! Research in the data breach showed 6% of the passwords reflected this strong style.

There is however buzz in the IT security world that the data may have been leaked via a botnet. A botnet is a robot network of computers connected to the internet that all share a common technology, a virus/spyware that allows a criminal hacker to remotely access and control the machine. A botnet can be 10 PCs, 10,000 PC or many more. The infamous “conficker” is a botnet. Once a PC is infected the criminal hackers can use the botnet to commit crimes, store data and of course siphon data from the machines.

However while many of the passwords were weak, there were many passwords that were very strong.  The argument is that based on the strength of many of the passwords it is unlikely that they were phished, and more likely hacked.

Regardless of the method of attack there are many things a computer user can do to prevent phishing and being part of a botnet.

  1. When you receive any email from any “trusted source” asking you to login for ANY reason do not click links in the body of the email. Instead manually type the address or go to your favorites.
  2. Use the most recent version of a web browser that has a built in phish filter. Phish filters warn you against clicking links on unauthorized websites.
  3. Invest in anti-virus protection and make sure you have it set to automatically update your virus definitions. There are potentially thousands of new viruses every day. Going a week without anti-virus can make you vulnerable to attack.
  4. Invest in Identity Protection and Prevention. Because when all else fails, its great knowing someone is watching your back.

Comments: (5)

Michael Wright
Michael Wright - Striata | Secure Document Delivery - London 19 October, 2009, 11:15Be the first to give this comment the thumbs up 0 likes


What leads you to the conclusion that the strong passwords were hacked rather than phished ?

My understanding is that the stronger the password, the harder it is to hack (i.e. guess) and therefore the more likely it is to have been phished (social engineering) or recorded by a key logging trojan or virus.

One of the fundamental issues that should be mentioned here is that people often use the same password on many different sites.

You should always make sure that you use different passwords for your banking sites and your email sites - having one password for low risk sites is not a good idea but probably expedient.



(P.S. Banks should be standardising on anti-phishing measures in their email)

Andrew Churchill
Andrew Churchill - MIDAS Alliance - London 19 October, 2009, 23:31Be the first to give this comment the thumbs up 0 likes


I hadn't noticed this blog until you'd flagged it, so thanks for pointing out some of the glaring errors.

Title - hacked via a botnet or phished

Para 1 - they're phished -good old social engineering!

Para 2, line 1 - they're hacked, but some were very weak!

Para 2, line 3 - now they're stolen (so not UK victims, as you can't steal information, merely exploit it for other unlawful purposes)

Para 2, line 5 - back to hacking, and only insecure passwords can be hacked, clearly

Para 3 - strong passwords are on the compromised list.

So, actually back to para 2 because, in itself (over and above the truism that those who are using stronger passwords are likely to be security aware and hence have anti-virus, et al, and not fall for Dear Mister emails) anyone using an insecure password is no more likely to be a victim of hacking or phishing.

If you've an insecure machine and you're gullible then the security of your password makes not the slightest difference (besides the chances of a friend or colleague logging in as you).

Final paras are valid, but hardly news, so I'm afraid to say the only 'laziness and less than sophisticated approach to security' rests with the author.


Robert Siciliano
Robert Siciliano - - Boston 20 October, 2009, 00:50Be the first to give this comment the thumbs up 0 likes

Thanks for dragging me under the bus gents. Bet your mum is proud of you. I was pointing out how some researchers had come to the conclusion. I reported on it. So eat it.

Matt White
Matt White - Finextra - Toronto 20 October, 2009, 09:17Be the first to give this comment the thumbs up 0 likes

Play nice please fellas.

A Finextra member
A Finextra member 27 October, 2009, 11:27Be the first to give this comment the thumbs up 0 likes

Hi Mike,

congrats that you made it to say write/report something that shown that PASSWORDS are a big part causing all this internet fraud. Just imagine we wouldnt use them any more. Meaning to use something that one has to remember and when beeing authenticated to type in his PC.... just look at the solution that shows a real altenative solution which provides strong authentication without

Hi Andrew,

Dont be soo bad to Mike. This blog is very usefull for all who are concerned to security. Of course there are very few of them with a proved knowledge on all these topics like you. And I mean it. By the way, you still have´nt found out (cracked) the WebLookOn key-secret according to your WebLookOn Key-ID : a.churchill ......

all best



Now hiring