Home / / Exposed! The passwords leaked in phishing scam

Exposed! The passwords leaked in phishing scam

List of popular passwords in phishing scam that affected thousands of Hotmail, Gmail and Yahoo! accounts has been revealed

Exposed! The passwords leaked in phishing scam
Most popular passwords from the leaked list include '123456' and 'password'.

Most of the passwords leaked as part of a recent phishing attack involving 30,000 email accounts have been identified as weak by security firm Sophos.

An anonymous user posted the passwords of 10,000 Hotmail passwords online on October 1st, which Microsoft subsequently took down. The company had to block access to affected accounts with users asked to fill out a form online to reclaim access. Days later, the BBC revealed that passwords from other service providers like Yahoo!, AOL and Gmail were also targeted by the large-scale phishing attack, with reports that close to 30,000 accounts are now involved.

While there's no information on exactly who's responsible just yet, the scam has brought online security to the spotlight internationally. A researcher from the security firm Sophos, who had the chance to quickly analyse the list of phished email addresses and passwords, revealed that the most popular passwords were "insecure". These include:


"As well as being insecure, these passwords suggest a preoccupation with children's popular culture," wrote Paul O Baccas in a blog post for Sophos.

There's a debate raging on whether the password list is a result of traditional spam phishing campaigns or something entirely new, but Baccas believes that a rogue social networking application could be at play this time around.

Trend Micro, another security firm, has downplayed the scale of attack. "What is surprising is not really the amount of accounts affected. It is only the fact that so many were exposed publicly that is surprising," writes spokesman Rik Ferguson.

"There is a thriving underground market in stolen email account credentials and the numbers of accounts for sale on any given day easily number over the 30,000 or so that have been exposed in this latest story....This is not a ‘massive phishing campaign' it is simply the ugly backside of online crime sticking out of the water for a second as they dive back into murkier depths," Ferguson concludes.

Follow us to get the most comprehensive IT Security news delivered fresh from our social media accounts on Facebook, Twitter, Youtube, and listen to our Weekly Podcast. Click here to sign up for our weekly newsletter on curated technology news in the Middle East and Worldwide.

REGISTER NOW | Webinar Event | Security you can bank on – Safeguarding the Middle East’s financial sector

Presented in partnership with security and network specialist Cybereason, the second in the three part webinar series will bring together a panel of experts to discuss how banks and financial institutions are evolving their service offering while simultaneously staying one step ahead of the cyber criminals who seek to bring their operations crashing to the ground.