
Two million Facebook, Gmail and Twitter passwords stolen - swasheck
http://money.cnn.com/2013/12/04/technology/security/passwords-stolen/index.html?hpt=hp_t2
======
codeka
2 Factor Authentication, 2 Factor Authentication, 2 Factor Authentication!

I've had 2 factor authentication enabled on my gmail account for over a year
now, and once you get past the initial setup phase, it's really not _that_
inconvenient.

I have even been able to train my parents to use 2 factor auth, I just need to
get them using a password manager now...

~~~
zzleeper
What happens if I'm i) outside the country, so no SMS for me, ii) outside cell
tower coverage but with wifi (happens every day for me inside buildings), or I
got my cellphone stolen for instance. How does 2fauth works in that case?

(Just wondering, as the above _are_ the reasons I decided not to use it)

~~~
potatolicious
2-factor authentication does not require the second factor every time. It
typically only asks for the second factor if the device is unrecognized, or
the usage pattern is unfamiliar.

So, your laptop that's logged into GMail will stay logged in when you're out
of the country. Unless you explicitly log out, it will stay this way.

I enter maybe one two-factor auth code a week, if that.

So:

i) Prepare ahead and log into your services.

ii) Walk to the nearest window, get the code, and go back to your desk.

iii) Replace your phone - you keep your number - request the auth key again.

None of these are completely seamless of course, but the idea is that all of
the above happen rarely enough, and are mitigable enough, that it's far better
than the alternative: getting pwned.

There are also second factors in the form of mobile apps, which eliminate the
need for SMS, so as long as you have data/WiFi you're set. There are also ones
that don't need data at all (see: the Battle.net Authenticator, which is
basically a RSA key on your phone), but require more substantial initial
setup.

~~~
nl
This advice isn't _incorrect_ , but it isn't entirely accurate either.

The Google Authenticator mobile app doesn't require data, so that meets the
OP's requirements perfectly (ie, no SMS or data).

Use that, print out the one-time use codes and keep them in your wallet.

------
sergiotapia
Misleading headline, makes it seem like these guys were hacked on their
servers. When the reality is people spread a virus and passwords were logged
from individual machines. No fault from Google or Twitter.

~~~
obituary_latte
Yup. They're talking about the recent spiderlabs report it seems.

~~~
werrett
The source is this SpiderLabs blog post:

[http://blog.spiderlabs.com/2013/12/look-what-i-found-moar-
po...](http://blog.spiderlabs.com/2013/12/look-what-i-found-moar-pony.html)

------
gurvinder
"File Transfer Protocol (FTP, the standard network used when working from
home) "

May be at CNN, that is what they use to work from home.

~~~
krapp
HN greatly overestimates how dead FTP is.

~~~
sliverstorm
But I heard FTP was declared harmful and phased out in 1970?

~~~
krapp
Tell that to my wordpress projects....

~~~
JoshuaDavid
You can. Put this line in the config file:

define( 'FS_METHOD', 'direct');

------
wpietri
Ugh. Actually, 410k Facebook, Gmail, and Twitter passwords stolen:

    
    
        318,000 Facebook accounts
         70,000 Gmail, Google+ and YouTube accounts
         22,000 Twitter accounts

~~~
sp332
There were thousands of services attacked, there isn't room in the headline
for all of them.

~~~
wpietri
Sure there is: "Two million Facebook, Gmail, other passwords stolen".

Or: "Two million passwords stolen, including from Facebook, Gmail, and
Twitter".

------
knownhuman
While technically accurate, the headline seems to allude to direct breaches of
Facebook, Gmail, and Twitter.

~~~
powera
Not even technically accurate. The article says that only 400k of the 2
million stolen passwords were from FB/GOOG/TWTR.

------
joshfraser
If you use LastPass, this is a good time to run their Security Challenge
([https://lastpass.com/index.php?securitychallenge=1](https://lastpass.com/index.php?securitychallenge=1))
to audit the strength and uniqueness of your passwords. If you're not using
LassPass or something similar like 1Password then today is a good time to fix
that.

~~~
Houshalter
What good will that do against a keylogger?

~~~
JangoSteve
Strength of password won't really help for key logging, but using e.g.
Lastpass helps because it logs you into everything without having to type your
passwords. It will even generate and fill in your initial passwords so that
you never have to type your passwords even once.

~~~
Houshalter
Lastpass doesn't have a password itself?

~~~
JangoSteve
Ah great question. It does, but it usually stays logged in on your computer,
since it runs locally. So you rarely if ever need to type your password for
Lastpass, meaning the keylogger would have had to be running on your computer
when you installed and set up Lastpass. On a related note, it can also be set
up with 2 factor auth.

~~~
Houshalter
Presumably the password is stored to a file or in memory (of course that could
be arbitrarily difficult to figure out how to decode, but it can't be
encrypted since that would require another password.)

~~~
JangoSteve
Why do you assume it'd be stored in plain text rather than hashed? Also, what
does compromising someone's local filesystem have to do with the functionality
of a keylogger?

~~~
Houshalter
Even if it's hashed, then the hash can still be used to reconstruct the
lastpass passwords. And I'm just assuming that you can't trust your filesystem
if your machine has been compromised by malware. You're right the keylogger
probably isn't that complicated. It depends on what level of paranoia you have
and how widely lastpass becomes adopted (thus more incentive to hack it.) More
likely the keylogger will just get the first time you enter your password into
lastpass and then steal it that way.

The point is lastpass is designed to protect you from weak passwords and
password reuse. It doesn't do anything to protect against attacks on your
actual computer.

~~~
JangoSteve
Oh, I misunderstood you; I thought you were referring to the master password
of LastPass as being plain-text or reversibly encrypted. You mean that the
passwords stored by LastPass must be reversibly encrypted on disk. Yes, that's
true. Password managers do open the door for such an attack, but they tend to
be much less vulnerable to attacks in general than reusing the same passwords.
Of course, it's really up to each person to decide what risks are acceptable
in the trade-off between convenience and security.

I think the main point was that a password manager would have been much less
susceptible to the keylogger attack which lead to this particular incident.

------
steffan
I found this rather amusing: “Among the compromised data are 41,000
credentials used to connect to File Transfer Protocol (FTP, the standard
network used when working from home)”

~~~
Raphmedia
Well, it is a not so wrong vulgarization.

------
nathan_long
What platform(s) was the keylogger written for and how was it spread?

~~~
sergiotapia
Given the vast amount of passwords farmed, I would say it was targetted for
the Windows platform.

~~~
prawks
Is this really a valid point still? Surely two million is a drop in the bucket
in the group of Facebook users accessing via OS X or Windows.

------
lurkinggrue
Does anybody have a torrent of this?

You know... for science.

~~~
owenfi
I'd like to verify my users are not among those exposed, since we use some of
the aforementioned services for single sign on.

------
mikeishi
Which operating systems were affected? It seems like the official report
doesn't even contain this critical information.

~~~
babuskov
Windows XP/2003/Vista/7/8 (x32/x64)

Apparently this keylogger was used:

[http://malware.dontneedcoffee.com/2013/10/jolly-roger-
steale...](http://malware.dontneedcoffee.com/2013/10/jolly-roger-stealer-c-
panel.html)

------
yaix
> The massive data breach was a result of keylogging software maliciously
> installed on an untold number of computers around the world

Is that a Windows only issue or are other OSes affected?

------
loceng
I had an unexpected login attempt from Vietnam in this past week. Google
blocked it automatically - though it was successful, correctly used password.

I wonder if connected..

------
Zoomla
Not as safe as other solutions, but I can remember all my passwords by
choosing passwords by website category (6 for example): one low-security
sites, one for sites that have your CC #, one for social networking, one for
email, one for work, and one for your banking sites. keep a copy in your
wallet. Sleep better.

------
rza
> Facebook, LinkedIn and Twitter told CNNMoney they have notified and reset
> passwords for compromised users.

> The hackers set up the keylogging software to rout information through a
> proxy server, so it's impossible to track down which computers are infected.

Have I missed something or are these statements contradictory?

~~~
awj
Nothing contradictory about it. First statement is about accounts on services,
second is about finding the machines used to log into said accounts.

The sad part is that many people with this keylogger may react to the password
change before/without removing the logger, which would entirely defeat the
point.

------
werrett
In case anyone is interested the primary source for the article is the
following blog post (it is slightly buried):

[http://blog.spiderlabs.com/2013/12/look-what-i-found-moar-
po...](http://blog.spiderlabs.com/2013/12/look-what-i-found-moar-pony.html)

------
iamabhishek
I was wondering, how does these services come to know that they had a breach.
How Facebook or Twitter or Gmail, exactly number the amount of data(passwords)
stolen. Just curious to know!

------
denzil_correa
57.06% of the passwords stolen were for the Facebook domain. Sigh!

~~~
seiji
At least nothing of value was lost?

~~~
dragonwriter
The ADP -- a payroll service -- passwords (which, interestingly, aren't in the
headline), are probably the ones that, despite being smallest in number, offer
the most opportunity for direct financial disruption.

~~~
seiji
ADP is _horrible,_ but their website can't change financial details (it only
shows paystubs and tax forms). You can kinda change things through ADP
FlexDirect, but all direct deposit enrollment is done elsewhere.

The ADP employee site hasn't changed in the past ten years and still uses
basic auth. It's horrible. And freaky. When you login to your new company
account, it shows all paystubs from your past employers too. [With the
implication of your current payroll department being able to see how much you
were getting paid at all your previous jobs since it's the same account?]

~~~
dragonwriter
> ADP is horrible, but their website can't change financial details

The article here says that the account information that was compromised can.
I'm not sure if that is a result of bad reporting on the same level as that
related to FTP in the article, or the accounts that were compromised are
different than the ones for the website you are talking about.

~~~
seiji
Yeah, it's possible they were HR-level accounts that actually run payroll and
not just employee accounts.

The more power you wield in an organization the less competent with technology
you are.

~~~
dragonwriter
That's probably only even roughly true in tech organizations where the low-
level folk have tech-related duties. (Though HN users are probably somewhat
biased to think in terms of such organizations.)

------
mtsmithhn
So no details on how to detect if this virus is on your computer?

~~~
kevinchen
Apparently not. I think just wait until Google, Facebook, or Twitter reset
your password.

~~~
onemanshow33
That is exactly my fear

------
lcasela
Was this targeted towards windows?

------
iamabhishek
i thought hotmail was least secure. But every time passwords are stolen, its
always for the Big-3 Social networks. Facebook, Twitter or LinkedIn. This time
Gmail joined in. Great !! But then what can you expect from a free service
{kidding}

------
cdvonstinkpot
Page won't display in my mobile browser, so I can't read the story.

