Corrections and additional information have been added to the end of this post.
One of the largest ISPs in The Netherlands has shut down its email services after hackers posted usernames, passwords, phone numbers, addresses and more of more than 500 customers on the internet.
KPN discovered the attackers on its network January 27th, but decided not to disclose the information immediately after consulting with the Dutch government and law enforcement agencies.
Presumably this was intended to allow them to monitor the attacker and gather evidence that might be used to apprehend and prosecute them.
They announced the breach on February 8th, but suddenly today decided to suspend all email access after some customers’ information was posted on pastebin.com.
They are currently allowing customers to send outbound email, but have disabled access to customer mailboxes while they work on securing the server infrastructure.
KPN provides service to more than two million Dutch internet users and it is unclear if information was stolen about more than the 500+ already disclosed.
I have seen a lot of arguments among security researchers lately about the value of analyzing passwords that have been stolen from sites like Care2.com and Stratfor.
The argument is that people’s passwords are weak because these are throwaway websites and people can’t be bothered to choose unique passwords for every site they access.
This time the passwords disclosed are for accessing private email accounts, something I would expect most of us would consider very personal and important enough to protect properly.
What did I find? The average password was 8.3 characters long and most of them abysmally weak. The shortest password was only 4 characters, while the longest (2) were 13 characters.
Password complexity isn’t really the problem in this case, rather it is not having your password database stolen to begin with.
No matter how long your password is it does you no good if it is stored in plain text and stolen by a cybercriminal.
KPN has warned its customers that they should change any passwords they might have reused on other sites like Google or Facebook.
To me, that is the real lesson here. You really *need* to use a unique password for every site you visit, or in the worst case at least for the important ones.
Complexity is nice, entropy is great, but it is all for naught if your service provider can’t hold up its end of the bargain.
Update: @mrkoot on Twitter was kind enough to translate some of the updated information about KPN from Dutch to English, thank you Matthijs.
As some Naked Security readers pointed out the stolen information posted appears to be from the 2011 compromise of a site called Baby Dump. What is unknown is why KPN claimed that the 500 plus accounts were actually its customers in the post on its blog.
The attackers claim to have accessed core routers in the ISPs infrastructure and were able to initially gain access to KPNs systems through unpatched servers.
It also appears that @KPNwebcare tweeted earlier today that customers were safe as their “passwords are encrypted with UTF8”.
I will leave the interpretation of that comment to the reader, but I don’t think UTF8 is that reassuring.