Sophos Cloud Optix
Corrections and additional information have been added to the end of this post.
One of the largest ISPs in The Netherlands has shut down its email services after hackers posted usernames, passwords, phone numbers, addresses and more of more than 500 customers on the internet.
KPN discovered the attackers on its network January 27th, but decided not to disclose the information immediately after consulting with the Dutch government and law enforcement agencies.
Presumably this was intended to allow them to monitor the attacker and gather evidence that might be used to apprehend and prosecute them.
They announced the breach on February 8th, but suddenly today decided to suspend all email access after some customers’ information was posted on pastebin.com.
They are currently allowing customers to send outbound email, but have disabled access to customer mailboxes while they work on securing the server infrastructure.
KPN provides service to more than two million Dutch internet users and it is unclear if information was stolen about more than the 500+ already disclosed.
I have seen a lot of arguments among security researchers lately about the value of analyzing passwords that have been stolen from sites like Care2.com and Stratfor.
The argument is that people’s passwords are weak because these are throwaway websites and people can’t be bothered to choose unique passwords for every site they access.
This time the passwords disclosed are for accessing private email accounts, something I would expect most of us would consider very personal and important enough to protect properly.
What did I find? The average password was 8.3 characters long and most of them abysmally weak. The shortest password was only 4 characters, while the longest (2) were 13 characters.
Password complexity isn’t really the problem in this case, rather it is not having your password database stolen to begin with.
No matter how long your password is it does you no good if it is stored in plain text and stolen by a cybercriminal.
KPN has warned its customers that they should change any passwords they might have reused on other sites like Google or Facebook.
To me, that is the real lesson here. You really *need* to use a unique password for every site you visit, or in the worst case at least for the important ones.
Complexity is nice, entropy is great, but it is all for naught if your service provider can’t hold up its end of the bargain.
Update: @mrkoot on Twitter was kind enough to translate some of the updated information about KPN from Dutch to English, thank you Matthijs.
As some Naked Security readers pointed out the stolen information posted appears to be from the 2011 compromise of a site called Baby Dump. What is unknown is why KPN claimed that the 500 plus accounts were actually its customers in the post on its blog.
The attackers claim to have accessed core routers in the ISPs infrastructure and were able to initially gain access to KPNs systems through unpatched servers.
It also appears that @KPNwebcare tweeted earlier today that customers were safe as their “passwords are encrypted with UTF8”.
I will leave the interpretation of that comment to the reader, but I don’t think UTF8 is that reassuring.
Security image courtesy of Shutterstock.
“You really *need* to use a unique password for every site you visit, or in the worst case at least for the important ones.”
That’s all very well, but if you do, then you can’t avoid writing them all down somewhere or keeping a list of them in your email, which we’re told is also a security risk. At work we used to have to choose a new alphanumeric password for our PC each month; they were too long to remember so we all wrote htem on post-it notes which we stuck to the PC.
This is not about strenght of passwords, its a lack of company’s encryption. of our personal info. In today’s world, that is inexcusable.
"people can't be bothered to choose unique passwords for every site they access" — wait a minute, it's not like this is some trivial thing that users are too lazy to do. I just counted my personal-passwords file and found 150 sites, up to half of which I might access from a personal laptop, a desktop at work, and a smart phone. The sites, taken as a group, impose a chaotic mess of conflicting password rules. So I have to maintain a password file, and keep it both up-to-date and secure in three different places. Not that this is impossible, but don't trivialize how much hassle it imposes on people. It's a big deal, enough that it feels like a theft of my strictly limited time.
The password file was not from KPN but from Baby Dump, a webshop for baby materials. Apparently people do not care much about the complexity of passwords used to buy baby clothes, just as other people don't bother to check all the facts before parroting everything.
The 500+ people's information, it has now turned out, was NOT stolen from KPN. Rather, it was obtained from a web shop and the hacker only published data from KPN's customers (they're a major ISP, comparable to BT in the UK, so there will be many customers is just about any list), to make it appear this was stolen from KPN.
Story here (in Dutch): http://www.nu.nl/algemeen/2738588/gelekte-e-mailg…
PS unrelated, but why does IntenseDebate need to 'update my profile' or 'follow new people'?
@Sheenagh: That’s a very common, but very outdated and counterproductive practice. On very old Unix systems password rotation added some protection, but that security hole has been plugged in every system shipped in the last 15 years, maybe more.
@Don: The only viable solution if you don’t have a superhuman memory is a password vault like Lastpass. Pick one good password, and use that to unlock all the rest, which can be random gibberish. Of course, you are putting your security in the hands of another entity, but at least only have to trust that one entity to follow proper procedures with your passwords.
Some remarks:
1) The data posted on pastebin probaly does not come from KPN< but were stolen in 2010 at Baby-dump.nl
This does KPN not ley KPN off the hook however:
2) All users are advised to reset their password [by mail ;-)] and at least in my case the link in the mail was dead.
3) When you find the proper settings it turns out that the mail password CAN ONLY CONTAIN LETTERS AND DIGITS. So much for strong passwords…
4) Both the messages in the media and the wording in the KPN email states that *passwords were leaked*. IS KPN STORING OUR PASSWORDS instead of using (salted) hashes???
Jan Doggen
The Neherlands
@Don
Use LastPass.
Do we know for sure that KPN stored passwords as plaintext rather than hashes? Reversing passwords from hashes isn't exactly rocket science or computationally infeasible these days, after all.
@Greg W: note, a hash is *NOT* "encryption".
I lived for some years in the Netherlands, and KPN is as outright fraudulent as it can be. Not only will they scratch their users to the last cent (so no surprise to hear about security issues), but their business practices border intentional malice, as any other KPN client can tell you; I would not be surprised to hear that KPN employees themselves were making profit out of the hacking. (In fact, my name and physical address was given to commercial third parties without my consent, and I received snail-mail spam (lotteries, etc) during the whole duration of my contract with KPN; and I know it was them, because my name had a unique misspelling, only occurring in my KPN personal data and nowhere else. So I sincerely hope the law catches up with them.
😂😂🤦🏼♂️🤦🏼♂️🤦🏼♂️
UTF-8 as “encryption”??
Seriously?!