Website publishes passwords for Irish email accounts and bank accounts

[Brendan Burgess]

Morning Ireland has just said in its introduction

" a website publishes the passwords for Irish email and bank accounts..."

Anyone know what this is about? I can't listen to the rest of the news.

I got a lot of emails yesterday from eircom technical support but I ignored them.

Brendan

 

[Brendan Burgess]

i rang eircom.net support and they have not heard about it.

 

[jhegarty]

Don't see anything about it on the popular tech pages.

 

[Slash]

I think you can podcast Morning Ireland, but probably not until later today or tomorrow.
[broken link removed]

You can replay the entire programme here: [broken link removed] The bit about this item is at about 1 hour and 47 minutes into the programme.

Some email addresses and passwords were publised on an Arabic website (RTE didn't give the URL). Several were based in Ireland. Scarey!

 

[car]

Havent heard anything on the news wires either, tech or otherwise.

I cant see how they could publish passwords, any financial system I know of use encrypted passwords that staff wouldnt be able to decrypt.

If you do hear of any system that does this, avoid.

 

[paddyc]

I would guess all the mails are phishing mails and if a website is publishing the details they will have been harvested from phishing/viruses.

I don't believe anyone will publicly publish a list, as I have heard recently the people that gather all these details don't actually use them, instead the sell on the details to others. I'm not sure on the details (so correct me if I'm wrong) but I think I heard details of around 1000 accounts going for something like €50!

 

[pavlov]

Didn't hear it but it could refer to a complaint listed in the latest data protection commissioner's annual report, available on dataprotection.ie

Think it's the complaint on page 61...

 

[Smashbox]

I dunno how to let you guys see this.

go to this webpage... http://www.rte.ie/news/morningireland/

Scroll down to 'Threat to Irish emails' - opens video clip in a new window.

 

[Smashbox]

Argh that clip isn't playing for me, it working for anyone else?

 

[dave2k]

From that audio clip.

Says it has email addresses and passwords published on an arabic site of Irish users in the HSE, on Yahoo and Gmail.

Effects 3000 Irish people.

Software engineer from Limerick got hacked, tracked the culprit down and found the list.

Hacker hacked into hotmail to get the account details from Gmail then got the bank account details by asking people in gmail the details.

Doesn't give any info on the name of the site that published the data.

"Gardai are on the case".

 

[Brendan Burgess]

Well done.

thanks. Doesn't seem to affect me.

Brendan

 

[Alias]

They did give some good advice about not keeping all your passwords the same, and not storing important information in web based email accounts.

I've just gone through my old (used only for registrations) hotmail account and deleted pretty much everything. I realised there were passwords to old websites there from when I was job hunting, and at the time I used the same password for everything (I've since found a method for making each password memorable but unique). Exactly the sort of thing they were warning against.

 

[PM1234]

How can you tell if it affects your address?

 

[Romulan]

With apologies for moving slightly off thread, use PASSWORD SAFE to store your passwords in a safe manner.

Its free, encrypted, and all you need to remember is one good password to access it and get all your other passwords.

I think there is a version that can be used on a memory key.

 

[askew70]

I can confirm that the list exists, and that it provides e-mail addresses and the password for each. No-one who has seen the list (and you'd have to assume that amounts to a lot of people at this stage - if I was able to find it than anyone can) can provide a link to it, or shouldn't at least, for the obvious reason that that would constitute further dissemination of sensitive information.

The best advice is to just change your passwords. Yes, it is a hassle, but it is good practice to change your passwords regularly anyway. It is also good practice to not store any e-mails or files with sensitive information in them - it's up to you what constitutes sensitive information for you, but the obvious one is banking details, and passwords, the less obvious being references to other accounts that you may have. And, of course, keep an eye on your bank accounts for any sign of unusual activity (again that's just a common sense thing to do anyway).

And choose strong passwords. There are lots of decent websites out there that'll tell you what constitutes a weak password (here is one source of info), but obviously anything that someone else might guess about you (spouse's name, pet's name, home town, date of birth etc.) is bad as is any word that may appear in a dictionary. Choosing a strong password won't guarantee its safety, but it helps.

I second the above suggestion of using Password Safe. It helps you to manage your passwords if you have too many to retain easily in your head, and it is preferable to writing them down somewhere. It stores your passwords in an encrypted file which requires a passphrase to open (you obviously have to choose a strong passphrase - a passphrase is basically just a long password). It doesn't make it any less important to change your passwords regularly though.

 

[blacknight]

Re: List of email accounts for which passwords have been made public

The list is NOT a list of email passwords and saying that it is factually incorrect and scaremongering.

*Some* of the passwords *might* coincide with email passwords if people used the same password for their email and other things

The passwords were pulled from a website that was compromised and ARE NOT all email passwords

Considering my email address is on that list I think I'm pretty well qualified to say this.

 

[Brendan Burgess]

blacknight

Rather than accuse people of "scaremongering", can you tell us what the list actually is and how it arose.

I have deleted the list of email addresses pending your reply

 

[NicolaM]

Brendan, I know of at least one other person whose email was on that list. There was also a poster on the other thread whose email address was on it.

Blacknight, I'm afraid that many people use the same passwords for their email and other things, bad practice, but that's the reality of it.

Nicola

 

[blacknight]

blacknight

Rather than accuse people of "scaremongering", can you tell us what the list actually is and how it arose.

I have deleted the list of email addresses pending your reply

It's a website membership list with passwords basically.

While some of the passwords *might* be the same as their email password it isn't a list of email addresses and passwords.

A few of the people on the list, which include me, have been comparing notes and we think we've narrowed it down to one or two Irish ecommerce sites which would have used an email address and a password to track orders.

 

[askew70]

It is not scaremongering to have stated that the list consists of compromised e-mail accounts. Based on the information available at the time it was a reasonable assumption to make, and I would suggest that the assumption is still valid assumption until sufficient evidences suggest otherwise. If you believe that such evidence does exist, then you should provide references to it.

The fact is that there are definitely some valid combinations of e-mail address and mail account password on the list. Nobody can say for sure whether those valid combinations comprise a minority of the entries on the list or a majority, so the sensible assumption must be that the accounts listed were compromised and that steps must be taken by the account owners on that basis. The fact that an e-mail address appears on the list at all at least confirms that it has been targeted, and whether any attempts to compromise it have been successful or not, the account owner should investigate further.