A Star Wars Galaxies fan site got hacked today and thieves stole 21,000 email addresses and 23,000 passwords. And judging from an analysis of the passwords, most of them were weak.
The site SWGalaxies.net is
a fan site owned by LFNetwork, an independently owned network of
LucasArts fan sites. Hackers from the group ObSec, a small hacking
collective with apparent sympathies for the LulzSec and AntiSec
hacktivist groups, broke into the site’s security and posted the
addresses and passwords on the web. While a compromised forum login
isn’t itself a big deal, the threat from this kind of smaller breach is
that it can lead to further identity theft that could be devastating for
individuals — particularly if they’re reusing the same passwords at
other, more critical websites.
Jeff Moeller, editor of LFNetwork,
said that the site that got hacked is not actively maintained any more.
The fan site targets males 18 to 34 years old, and evidently none of
the other UGO or IGN sites were targeted.
Identity Finder took
a look at the posted passwords and found many of them were weak. In
other words, they would have been easy to crack because they are short,
contain dictionary words, or don’t contain special characters, numbers,
“It’s unfortunate,” said Todd Feinman, chief executive of Identity
Finder, in an interview. “It must be so frustrating for someone to see
their passwords online, given the amount of online sign-ups we have to
Of the 23,389 passwords stolen, 71 percent were weak. Only 13 percent
of the passwords were strong. The average password length was 7.6
characters. About 4.3 percent of the passwords were less than 5
characters, and only 4.7 percent of the passwords were more than 10
Hacking a game web site password isn’t too big a deal. But the
problem is that users often reuse their passwords on more important
sites, like online banks. Studies show that 50 percent of passwords are
Feinman said, “Passwords are a digital identity and password reuse is a serious problem that could lead toward identity fraud.”
One of the users had a password that was 42 characters long. That
person took trouble to protect himself or herself. But since the web
site stored the passwords in an unencrypted format, the password is out
there for everyone to see now.
No hay comentarios:
Publicar un comentario