Leaked Hotmail Password Data Analysis

Martin Brinkmann — Fri, 09 Oct 2009 07:25:37 +0000

Remember back then when AOL decided to provide downloads of an anonymized snapshot of their search engine logs? One of the first things that Internet Marketers did was to analyze the data to see what users where looking for. Groups focused on privacy would analyse the data to see if it was possible to identify single users from the data that was offered by AOL.

Security analyst Bogdan Calin from Acunetix performed a similar analysis on the leaked Hotmail data. He performed an initial analysis and clean up of the data which consisted of 10,028 entries and started a detailed analysis of the remaining 9843 passwords of which 90% were unique.

3,713 = 42 %; lower alpha passwords : passwords containing only characters from ‘a’ to ‘z’. Example : iloveyou
291 = 3 %; mixed case alpha passwords : passwords containing characters from ‘a’ to ‘z’ and from ‘A’ to ‘Z’. Example: ILoveYou
1707 = 19 %; numeric passwords: passwords containing only numbers (’0′ to ‘9′). Example: 123456
2655 = 30 %; mixed alpha and numeric passwords: passwords containing characters from ‘a’-’z’, ‘A’-’Z’ and ‘0′-’9′. Example: Iloveyou12
565 = 6 %; mixed alpha + numeric + other characters. Example: 1Love You$%@

The shortest password in the list was made up of one character while the longest used 30 of them. The average length was eight characters with 42% of all users using a password that only consisted of lower case characters from a to z and an additional 19% of all users using a password with numeric values only.The most common used password was 123456 followed by 123456789.

Calin thinks that the passwords have been gathered using various phishing kits. It is also likely that the attack was aimed at the “latino” community which he concluded from the passwords entered by the users. You can find the full report at the Acunetix website.

Verdict: It is interesting that that many users are still using weak passwords for important accounts like web email accounts. But then again, a good password does not help at all if the user enters it in the wrong place for attackers to see.

Hotmail Phishing Attack: Time To Change Passwords

Martin Brinkmann — Mon, 05 Oct 2009 19:26:30 +0000

Microsoft has recently confirmed that thousands of Windows Live Hotmail customer’s credentials were exposed on a third party website. According to Neowin the account information were posted by an anonymous user at the pastebin website. The list that was posted contained over 10.000 account details of accounts starting with the letters A and B which suggests that additional lists might be in the hands of the attackers. Initial investigations suggest that only accounts used to access Windows Live Hotmail were affected (which includes email accounts ending with hotmail.com, msn.com or live.com.

Microsoft determined that the attack was not a breach of internal Microsoft data and believes that the account data was gained by a phishing attack. Phishing attacks are common ways these days to lure users into entering their account data on websites that look like the real deal but are not.

Hotmail users are encouraged to immediately change their account password to protect the account from unauthorized access. It is furthermore recommended to change the account password on other websites if the same password was used for accounts there as well.

A good tool that can help users create and use secure passwords is the Last Pass extension which is available for Firefox,Internet Explorer and Google Chrome.

gHacks Technology News | Latest Tech News, Software And Tutorials » hotmail phishing

Leaked Hotmail Password Data Analysis

Hotmail Phishing Attack: Time To Change Passwords