(the experiment is dedicated to Ron Bowes, who wrote in a blog post: “So, there you have it: lots of awesome data […]. Now, I just have to find one more problem […] and complete the trilogy. Any suggestions? >:-)”)
Last week an important fact about privacy and exposure of personal data on internet was revealed in a blog post by Ron Bowes, an IT security researcher. Millions of individuals’ names and other related pieces of information were “extracted” from a notorious social network and posted on a torrent.
Using this as a starting point, I tried to develop another experiment: what about their passwords? Are they also exposed on internet?
I didn’t use a specific script, but more of an intuitive-method which I will not explain here because of the obvious security issues that would ensue. By applying this method, I discovered lots of sites where “warmhearted” anonyms posted all of the goodies: usernames, e-mail addresses and passwords. More than 250,000 usernames, e-mails and passwords were put together.
Here are some (blurred) samples:
Figure 1: Sample 1- username, password, email
Figure 2: Sample 2 – email (used as username), password, IP
Further on, I analyzed the type of sites hosting this data and then the “quality” of the information I gathered related to one specific social network.
Four major categories of sites provided me with this information. They are represented in the following graph, along with their corresponding percentage (out of the total number of sites):
Figure 3: Excessively generous Internet hosts (%)
Regarding the “quality” of information (i.e.: whether the usernames and passwords are real, and can be used to access the accounts), a list of usernames, e-mails and passwords was created, then, a sample was selected using a random numbers table, and tested.
The results showed that in 87% (+/- 2%) of cases, the available information (username, which, in some cases is the same as the e-mail address, plus password) can be used in order to access the respective social network accounts. Pretty scary, isn’t it?
Going further, in 75% of these cases the same password showed up both for the social network account and for the individual’s personal e-mail. Two birds down with one stone.
To conclude, social network users are exposed more than they believe, as not only their names and private information can be dug up on the Internet, but, with some of effort, their passwords as well.
And please, don’t ask me if your username, e-mail address and password were there, because I don’t keep this kind of information on my computer. Just change your passwords and move on! And take care of your sensitive data next time!
No private information from this study will be kept, disclosed or used against the persons that revealed it.
All trademarks or product names contained herewith are registered trademarks of their owner companies.