# Website publishes passwords for Irish email accounts and bank accounts



## Brendan Burgess (14 May 2009)

Morning Ireland  has just said in its introduction 

" a website publishes the passwords for Irish email and bank accounts..."

Anyone know what this is about?  I can't listen to the rest of the news. 

I got a lot of emails yesterday from eircom technical support but I ignored them.

Brendan


----------



## Brendan Burgess (14 May 2009)

i rang eircom.net support and they have not heard about it.


----------



## jhegarty (14 May 2009)

Don't see anything about it on the popular tech pages.


----------



## Slash (14 May 2009)

I think you can podcast Morning Ireland, but probably not until later today or tomorrow.
[broken link removed]

You can replay the entire programme here: [broken link removed] The bit about this item is at about 1 hour and 47 minutes into the programme.

Some email addresses and passwords were publised on an Arabic website (RTE didn't give the URL). Several were based in Ireland. Scarey!


----------



## car (14 May 2009)

Havent heard anything on the news wires either, tech or otherwise.

I cant see how they could publish passwords, any financial system I know of use encrypted passwords that staff wouldnt be able to decrypt.

If you do hear of any system that does this, avoid.


----------



## paddyc (14 May 2009)

I would guess all the mails are phishing mails and if a website is publishing the details they will have been harvested from phishing/viruses. 

I don't believe anyone will publicly publish a list,  as I have heard recently the people that gather all these details don't actually use them, instead the sell on the details to others. I'm not sure on the details (so correct me if I'm wrong) but I think I heard details of around 1000 accounts going for something like €50!


----------



## pavlov (14 May 2009)

Didn't hear it but it could refer to a complaint listed in the latest data protection commissioner's annual report, available on dataprotection.ie

Think it's the complaint on page 61...


----------



## Smashbox (14 May 2009)

I dunno how to let you guys see this.

go to this webpage... http://www.rte.ie/news/morningireland/

Scroll down to 'Threat to Irish emails' - opens video clip in a new window.


----------



## Smashbox (14 May 2009)

Argh that clip isn't playing for me, it working for anyone else?


----------



## dave2k (14 May 2009)

From that audio clip.

Says it has email addresses and passwords published on an arabic site of Irish users in the HSE, on Yahoo and Gmail.

Effects 3000 Irish people.

Software engineer from Limerick got hacked, tracked the culprit down and found the list.

Hacker hacked into hotmail to get the account details from Gmail then got the bank account details by asking people in gmail the details.

Doesn't give any info on the name of the site that published the data.

"Gardai are on the case".


----------



## Brendan Burgess (14 May 2009)

Well done.

thanks. Doesn't seem to affect me. 

Brendan


----------



## Alias (14 May 2009)

They did give some good advice about not keeping all your passwords the same, and not storing important information in web based email accounts.  

I've just gone through my old (used only for registrations) hotmail account and deleted pretty much everything.  I realised there were passwords to old websites there from when I was job hunting, and at the time I used the same password for everything (I've since found a method for making each password memorable but unique).  Exactly the sort of thing they were warning against.


----------



## PM1234 (14 May 2009)

How can you tell if it affects your address?


----------



## Romulan (14 May 2009)

With apologies for moving slightly off thread, use PASSWORD SAFE to store your passwords in a safe manner.

Its free, encrypted, and all you need to remember is one good password to access it and get all your other passwords.

I think there is a version that can be used on a memory key.


----------



## askew70 (15 May 2009)

I can confirm that the list exists, and that it provides e-mail addresses and the password for each. No-one who has seen the list (and you'd have to assume that amounts to a lot of people at this stage - if I was able to find it than anyone can) can provide a link to it, or shouldn't at least, for the obvious reason that that would constitute further dissemination of sensitive information.

The best advice is to just change your passwords. Yes, it is a hassle, but it is good practice to change your passwords regularly anyway. It is also good practice to not store any e-mails or files with sensitive information in them - it's up to you what constitutes sensitive information for you, but the obvious one is banking details, and passwords, the less obvious being references to other accounts that you may have. And, of course, keep an eye on your bank accounts for any sign of unusual activity (again that's just a common sense thing to do anyway).

And choose strong passwords. There are lots of decent websites out there that'll tell you what constitutes a weak password (here is one source of info), but obviously anything that someone else might guess about you (spouse's name, pet's name, home town, date of birth etc.) is bad as is any word that may appear in a dictionary. Choosing a strong password won't guarantee its safety, but it helps. 

I second the above suggestion of using Password Safe. It helps you to manage your passwords if you have too many to retain easily in your head, and it is preferable to writing them down somewhere.  It stores your passwords in an encrypted file which requires a passphrase to open (you obviously have to choose a strong passphrase - a passphrase is basically just a long password). It doesn't make it any less important to change your passwords regularly though.


----------



## blacknight (15 May 2009)

*Re: List of email accounts for which passwords have been made public*

The list is NOT a list of email passwords and saying that it is factually incorrect and scaremongering. 

*Some* of the passwords *might* coincide with email passwords if people used the same password for their email and other things 

The passwords were pulled from a website that was compromised and ARE NOT all email passwords 

Considering my email address is on that list I think I'm pretty well qualified to say this.


----------



## Brendan Burgess (16 May 2009)

blacknight

Rather than accuse people of "scaremongering", can you tell us what the list actually is and how it arose. 

I have deleted the list of email addresses pending your reply


----------



## NicolaM (16 May 2009)

Brendan, I know of at least one other person whose email was on that list. There was also a poster on the other thread whose email address was on it.

Blacknight, I'm afraid that many people use the same passwords for their email and other things, bad practice, but that's the reality of it.

Nicola


----------



## blacknight (16 May 2009)

Brendan said:


> blacknight
> 
> Rather than accuse people of "scaremongering", can you tell us what the list actually is and how it arose.
> 
> I have deleted the list of email addresses pending your reply



It's a website membership list with passwords basically.

While some of the passwords *might* be the same as their email password it isn't a list of email addresses and passwords.

A few of the people on the list, which include me, have been comparing notes and we think we've narrowed it down to one or two Irish ecommerce sites which would have used an email address and a password to track orders.


----------



## askew70 (17 May 2009)

It is not scaremongering to have stated that the list consists of compromised e-mail accounts. Based on the information available at the time it was a reasonable assumption to make, and I would suggest that the assumption is still valid assumption until sufficient evidences suggest otherwise. If you believe that such evidence does exist, then you should provide references to it.

The fact is that there are definitely some valid combinations of e-mail address and mail account password on the list. Nobody can say for sure whether those valid combinations comprise a minority of the entries on the list or a majority, so the sensible assumption must be that the accounts listed were compromised and that steps must be taken by the account owners on that basis. The fact that an e-mail address appears on the list at all at least confirms that it has been targeted, and whether any attempts to compromise it have been successful or not, the account owner should investigate further.


----------



## z109 (17 May 2009)

Would it not make sense to publish the affected addresses somewhere? Otherwise, how do you know if you are on the list?


----------



## Brendan Burgess (17 May 2009)

I had it here but took it down when Blacknight accused me of "scaremongering".

It is back again now:

http://www.askaboutmoney.com/showthread.php?t=112923


----------



## z109 (17 May 2009)

Thanks very much.


----------



## blacknight (18 May 2009)

Brendan said:


> I had it here but took it down when Blacknight accused me of "scaremongering".
> 
> It is back again now:
> 
> http://www.askaboutmoney.com/showthread.php?t=112923



It is scaremongering

My email address is on that list, so you want to state to the world that my email address was compromised? 

Do you also want to say the same about every other email address on that list?


You also have no right to publish a lot of personal email addresses on a public website.


----------



## marcin (18 May 2009)

Have you ever heard about Spam robots collecting emials from forums? Have you ever heard about javascripts or other way of protectiong emails from spam-robot-collection? You can be sure that this list has been collected by may spam robots already. All those people will receive a lot of V-I-A-G-R-A email thanks to the list. Good job.


----------



## MissSherry (18 May 2009)

Good God, i just found the list and my password published on it in about 3 seconds. 

Brendan would you mind please deleting that list from this site? It leaves people wide open to spam and hackers.

Thanks

MS


----------



## Smashbox (18 May 2009)

I think its a good thing to be able to check if your name is on that list, I support Brendan 100% in him putting that list up. Its there to be found.


----------



## blacknight (18 May 2009)

MissSherry said:


> However i don't think anyone should be rounding on Brendan. He provides a very decent site here and was only trying to help by publishing the list.


That's not excuse for  totally ignoring several things:



he claims the site listed email account details when it doesn't
he had no right to publish the emails
publishing the emails not only infringes people's privacy it also lets them be harvested by bots as already mentioned
his wild claims about email accounts being compromised borders on defamation for any IT professional whose email address is on the list


----------



## Dearg Doom (18 May 2009)

I concur that the list should not be listed on this (or indeed any) site. Publishing the list does not serve the effected individuals well - they may or may not look at this site to be informed and it re-publishes e-mail addresses that they may not desire to have in the public domain compounding the problem of the original site and the google cache thereof.


----------



## car (18 May 2009)

*he claims the site listed email account details when it doesn't *
yes it does.  it might not contain your details, but it does contain others.

*he had no right to publish the emails*
Do you need a right to?  you personally might not like it and can ask  Brendan to take it down but Id be genuinely interested in seeing any legislation where someone needs authorisation to post (or not) an email address.   

*publishing the emails not only infringes people's privacy it also lets them be harvested by bots as already mentioned*
I take the point of privacy but do you think your email wasnt going to harvested off that arabic site anyway?   So you'll get 2-3 more spam mail messages on top of the other 100 a day.     No biggie.   Spam filter, bit of perspective here.

*his wild claims about email accounts being compromised borders on defamation for any IT professional whose email address is on the list*
you really should try some of those logins on the list.  They do work you know, making the claims not wild.   Maybe his assertions that emails have been compromised are incorrect in all cases, but private details somewhere have been compromised, else what else are the passwords for?


*Harvesting is only one of the methods used by spammers to obtain e-mail addresses. Having your address listed on a public website has a negligible impact on the amount of spam you receive.
*Yes, yes and yes.   see my point above. couple more enhancement emails a day in your spam filter folder shouldnt make you change your email address.

I would really lay off Brendan on this one and be more concerned about what people are doing with logins and how hackers got their details in the first place.


----------



## hizzy (18 May 2009)

Can this thread be closed now

Regards

Hizzy


----------



## mickeyboymel (18 May 2009)

*Re: List of email accounts for which passwords have been made public*

It Seems The Website which was hacked has addmitted responsibility: My address was on the list and I have just got this through from them:

   [FONT=&quot]





> It has come to our attention recently that one of our servers was hacked. A list of names, email addresses and passwords of our customers appeared on a hacker website on the internet. This account was one of those on the list. The website removed the page but a cached page was still available. Fortunately we do not hold credit card information on our servers, this is held by our credit card processing company. We suspect that this was a graffiti type attack. We have since introduced a more stringent password policy and passwords are now encrypted using the latest techniques. We want to sincerely apologise for any distress this may cause and want to reassure you that we will work hard to make sure this does not happen again. We recommend you login immediately and change your password to reduce the affect of the security breach.


[/FONT]


----------



## askew70 (18 May 2009)

I agree that there are concerns about posting the list here, but I also think that there are benefits in having posted it. There would appear to be some, and perhaps many, accounts on the last whose password hasn't even been changed yet, so presumably there remain people affected who are still unaware of the issue. Closing this thread will not help them, given that the list (with passwords) is already in the public domain, whereas leaving the thread open has at least some chance of helping them.

One approach to mitigating some of the concerns about the list being posted here is to edit the list and remove the domain portion (everything after the "@") of each mail address. The remaining user portion is still enough to alert people whose e-mail address contains that user portion. The user portion is not unique, so this may alarm more people than those actually affected, but in the worst case this means that more people carefully review their mail account and change their password, which is good practice generally anyway.

As regards the suggestion that posting the list borders on defamation of IT professionals on it, this is a misguided view that just serves to reinforce the mistaken image that IT professionals are immune from these issues. The reality is that everyone is subject to hacks like this. Sure, with a bit of common sense and/or IT experience you can take steps to shield one online account from issues with another by keeping your multiple online identities separate, etc., but at the end of the day if you have an online account at all as either an IT illiterate user or as a highly experience IT security professional, you are at risk of the account being compromised in some way.


----------



## Brendan Burgess (18 May 2009)

*Re: List of email accounts for which passwords have been made public*

Now that the company involved has emailed its customers, I have removed the list from public view.

Brendan


----------



## Smashbox (18 May 2009)

Thanks for publishing it Brendan, I was relieved to see my own wasn't on their but if it was, I woulda been thankful for you publishing it and bringing it to my attention.


----------

