Top journalists' email passwords made public, as scandal impacts over 200,000

Filed Under: Data loss, Featured, Law & order, Privacy, Social networks, Spam, Twitter

HackerRepeat after me: You should not use the same password on multiple websites.

That's an important lesson that thousands of bloggers are having to learn the hard way, after an extraordinary story broke in Sweden that involves Twitter, politics, password security and allegations that members of the national media were being spied upon.

Here's the facts that we know so far.

Right-wing MP William Petzäll left the Sweden Democrats (SD) party late last month, announcing that he would be an independent member of parliament.

William PetzällThe news came following a very public struggle Petzäll had had with alcohol and prescription drug abuse.

Earlier this week, the 23-year-old politican was forcibly committed into care against his will, as he was deemed to be at risk of harming himself or others.

So far, nothing to do with computer security.

But yesterday, messages began to appear on William Petzäll's Twitter account making the explosive accusation that SD leader Jimmie Åkesson and party secretary Björn Söder had hacked into the email accounts of Swedish journalists and their political opponents.

Accusation from William Petzäll's Twitter account

I can tell you that Söder and Åkesson had full access to everything that AB (Aftonbladet) and Expressen reporters had in their email for numerous years.

The messages on Petzäll's Twitter account continued to produce "evidence", publishing the email addresses and passwords (in the form of MD5 hashes) of leading journalists.

Tweets from William Petzäll's Twitter account

William Petzäll's lawyer said that his client was not making the Twitter postings, and that he did not have access to the internet where he is hospitalized. In other words, the story from the Petzäll camp is that an unauthorised person has taken over the troubled politician's Twitter account and making the controversial tweets.

But then things got even worse.

More than 90,000 passwords and usernames associated with the popular Swedish blog portal, Bloggtoppen.se, have been released - making it easy for anyone to break into accounts belonging to newspaper journalists, politicians and journalists.

Things wouldn't be so critical, of course, if people weren't using the same passwords on multiple websites.

A stark message currently greets visitors to Bloggtoppen:

Bloggtoppen

Bloggtoppen is closed until further notice for system maintenance due to alleged hacking.

Unknown perpetrators have come across our user database containing usernames, email addresses and hashed passwords. This means that if you have used the same login information for other services on the web, it's likely these accounts could be hijacked. We recommend all users to immediately change the password on all accounts that use the same login information as here.

Further information will be forthcoming when we have had time to investigate and resolve the interference.

Today, the Aftonbladet newspaper has reported that a further 57 other websites have also been hacked, and the login details of up to 200,000 people are at risk.

This story is likely to run and run, but what's important is how internet users respond to the news now. If you're a computer user - whether you're Swedish or not - it's time to learn to use different passwords for different websites.

If you think you won't be able to remember different passwords, use secure password vaults such as KeePass or 1Password.

Re-using passwords is a security disaster waiting to happen - because if your password gets stolen in one place, your whole online identity may be at risk.

, , , , , , , ,

You might like

10 Responses to Top journalists' email passwords made public, as scandal impacts over 200,000

  1. Mahesha Badrajith · 1037 days ago

    Is LastPass too OK to use? Or does it have any risk?

    • Linux_Hacker · 1037 days ago

      The risk using these programs are the way the html form input components are named. For instance, if a site does not use normal naming procedures then the login form is auto filled and submitted and your password would be sent to the server in plain text and anyone who can view the web logs of the server can see the password then figure out your login from the next few entries. In other words, there is a real danger that the login and password can get reversed in the form and auto submitted with some of these type apps. Keepass or Keepassx does this on some sites. As oppose to keeping up with your own passwords which allows you to eliminate the middle man.

  2. Intrepid · 1037 days ago

    The best and easiest program to secure and remember your passwords is called Roboform. It not only encrypts and remembers you passwords, it enters them when requested based on the website you're visiting. I've been using it for years. Read about it at Cnet's Download.com where it has a rare 5 star rating by both the editors and users. Highly recommended. http://download.cnet.com/RoboForm/3000-18501_4-10...

  3. Lastpass is encrypted and works well for me. :D

  4. Henry Tye · 1037 days ago

    I agree with intrepid, why wouldn't you mention RoboForm? RoboForm is definitely the best password manager, I feel like that is something that everyone knows.

  5. FunkyJ · 1036 days ago

    Here's an easy way to have multiple different passwords

    1) Chose a password. ie: password
    2) Add a capital, number, and symbol. ie: Password1!
    3) Add the site name, or nickname for the site it's for. ie: Password1!Twitter. Password1!Google

    Unless your twitter and google accounts are hacked, and moreover someone notices you've used the same password but with different sites appended, you're much safer than relying on a single password.

    • I wouldn't recommend that. If someone works out your formula, you're screwed. Use password management software instead.

      • Nik · 1036 days ago

        Equally if someone captures a single password they can deduce passwords for other sites very easily. Password management software is definitely the best option.

  6. Dante · 1036 days ago

    I'm using Password Safe and I always worry when people recommend KeePass in its stead. Am I missing something ?

  7. 1Password is excellent: you choose what you input, where and how. It handles a lot of other personal info as well, and is available for OSX (Mac) and iOS (iPhone and iPad).

    Linux_Hacker has a point, but using a good password app and avoiding sloppy websites makes a big difference, as does encrypted ("secure") browsing.

    Whatever you do, there is a risk, but currently the biggest risks are people reusing passwords, using weak passwords and not protecting their password data.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and App.net, and circle him on Google Plus for regular updates.