The State of Hacked Accounts

Orome1 writes "Most users get hacked at high rates even when they do not think they are engaging in risky behavior, with 62% unaware of how their accounts had been compromised, The results of a Commtouch survey presenting statistics on the theft, abuse and eventual recovery of Gmail, Yahoo, Hotmail and Facebook accounts, shows that less than one-third of users noticed their accounts had been compromised, with over 50% relying on friends to point out their stolen accounts. Also, more than two-thirds of all compromised accounts are used to send spam and scams, which is not surprising, as cybercriminals can improve their email delivery rates by sending from trusted domains such as Gmail, Yahoo, and Hotmail, and enhance their open and click-through rates by sending from familiar senders."

Lower limits.

[John+Hasler]

These are lower limits: consider the large but unknown number of users who are not and never will be aware that their accounts have been cracked. Then there are the billions of abandoned accounts...

trusted domains such as hotmail and yahoo?

[way2trivial]

WTF happened while I was napping?

Re:trusted domains such as hotmail and yahoo?

[WoodstockJeff]

Actually, I trust Yahoo and Hotmail slightly more than GMail... on our servers, @gmail.com has a default block on it, because the percentage of mail from that domain that is NOT spam is in the low single digits. It all went down hill when they stopped requiring invitations to join, and crashed when the success rate in mechanically breaking their CAPTCHA registration got over 10%, so it became ridiculously simple to generate thousands of real accounts a day.

Throw in the @gmail addresses that arrive via Yahoo servers (complete with Domain Key authentication), and it's about 1%.

Of course, AOL account traffic (including @aim.com and @cs.com) is running 90% compromised. And, within the last 10 days, domains in the Earthlink family have started to spike with traffic from compromised user accounts. The later is somewhat more ironic, given the problem with getting mail TO Earthlink users, because of their "superior spam and anti-virus filtering"... to become a significant source of spam from infected systems!

This will never end

[thecrotch]

People just don't care enough about it to inconvenience themselves with strong authentication, how many of our mothers use their dog's name, in all lowercase, as their password on every single one of their accounts?

Re:This will never end

People just don't care enough about it to inconvenience themselves with strong authentication, how many of our mothers use their dog's name, in all lowercase, as their password on every single one of their accounts?

Mine added digits and other letters afterward, and I didn't even need to tell her to.

By not helping your mother learn how to secure her password, you're lumping yourself in with the same 'people' you say don't care enough - only in this case it's not even your own password we're talking about - it's your mothers'!

I think the more appropriate reasons are laziness, and shadiness - perhaps you want to know your mothers' password, or you don't care enough to spend 20 minutes explaining how to create a secure one that she can actually remember easily.

Re:This will never end

[thecrotch]

I don't understand why you think I haven't explained this to her, I have, since she first got a computer in 2001. Repeatedly, until I was blue in the face. She doesn't care, she wants things to be 'easy'. I even tried setting her up with Keepass password safe to help keep track of all her web accounts so she wouldn't have to memorize anything. She insisted that I make the master password the dog's name, all lowercase, just like all her other passwords. It's willful ignorance, goes hand in hand with the "I'm not a computer person" mentality.

Re:This will never end

[inglorion_on_the_net]

More than users who won't use strong passphrases, I have a problem with sites that don't allow them. E.g. limiting the password to a maximum of 8 characters, all of which must be alphanumeric. Or requiring that you answer one of a limited number of fixed "security questions".

Re:This will never end

[snakeplissken]

Or requiring that you answer one of a limited number of fixed "security questions".

who cares what the question is, just put in an unguessable answer that you make up, that way no amount of personal knowledge about you can give it away

snake

Re:This will never end

[RsG]

Doesn't matter in context. You're bitching about the wrong problem for the article.

Most of the time when a web based email account gets cracked it isn't that you set your password to "password". Instead it's that you logged in from a compromised machine, and someone got ahold of your actual password, whether it's "fido" or "1xe34v3tsAad". There's a damn good reason I don't check my email anywhere other than devices I know are clean.

(Had something like what TFA describes happen to someone I know; it took her forever to realize that what had transpired was that she'd checked gmail on a coworker's computer and said coworker had been grossly lax in terms of safety. When a scan was run on the box for the first time ever it returned over a hundred bits of malware, some of it serious. The coworker, incidentally, was a private secretary to a lawyer, so this was a "holy shit" moment if ever there was one.)

Think about it for a moment and you'll see why the perpetrators use malware and/or social engineering rather than, say, a dictionary attack; there's nothing google, facebook or yahoo can do about it. They can easily limit the number of login attempts, encrypt usernames and passwords, reject really common passwords during account creation, etc, but if some third party gets the correct password from an infected PC, then when they log in it will appear legitimate.

That isn't to say you shouldn't bother with strong passwords, but if you think having a strong password protects you from everything, you're fooling yourself. The solution here also requires security software and education about admin privileges and trusted vs. untrusted sources for "free" software as it's the likeliest vector for infection (presupposing for a moment that the user needs a windows box, and frankly half the time the answer to that is "yes" for a number of reasons).

Re:This will never end

[QuantumRiff]

I use a different random 20 character Password for EVERY website and service I use (thank you lastpass!).

Last week, google told me my account needed to be verified, after a mobile phone in korea logged into my account. (I also use Firefox or chrome on linux). Only thing I can think of was that there was some sort of XSS (since I keep myself logged into gmail) on either a website my linux box visited, or my android phone. I'm leaning towards the phone, since I use gmail over https on linux.

Re:This will never end

[inglorion_on_the_net]

who cares what the question is, just put in an unguessable answer that you make up

Of course, and that's what I do. But still, it's another attack vector. And I bet many people actually put in easily guessable answers.

Re:This will never end

[txoof]

I was pretty disappointed that TFA didn't offer any suggestions to best practices to prevent hacking, or even suggest how a user might determine if they were compromised. It was just a moment for everyone reading the article to feel aloof and point their fingers at all the plebes under them.

I've been using Google's 2 Step Authentication for a few months, and HTTPS since it was offered and feel pretty secure about the security of my Google login, but if someone hijacked my account, I don't think I would really know until a friend pointed it out, or the hijacker changed the password.

How would YOU tell? What steps can an average, non log-poking user figure they've lost control of their account?

Re:This will never end

So, why have you not set your Mother's machine up to force a minimum password length of 12 characters?

Re:This will never end

[IamTheRealMike]

I work for Google on anti-hijacking and account security. The message you saw is very common. The cause is that there was an attempt to abuse your account to spam your friends. One of the popular tools that does this identifies itself to Gmail as various types of mobile phone, which is why it shows up as such in your account history. In fact, it's a regular program that runs on the desktop. No XSS involved.

In this case, it sounds like we detected the hijacking attempt, rejected the spam, sent your account to phone verification and forced you to choose a new password. This is a standard procedure for when we detect a hijack attempt at mail send time. We're getting better at stopping these attempts at login time using heuristics, so it'll become less common in future.

Re:This will never end

[L4t3r4lu5]

Of course, and that's what I do. But still, it's another attack vector. And I bet many people actually put in easily guessable answers.

Worse than that, they put in the truth. In this age of social networking, it is trivial to find out a maiden name, a date of birth, a child's name, a first school etc.

Re:This will never end

[Inda]

Fuck the survey, this is why I still visit Slashdot.

Re:This will never end

What you need to do is 'hack' her account. Login, send bogus mail that will raise eyebrow. If she don't change the password, reset the password and lock her out. When she finally come ask for help, tell her this is what she get for 'easy' password.

Peoples don't understand the cost of 'easy' until they have to pay it.

Re:This will never end

[Rob+the+Bold]

People just don't care enough about it to inconvenience themselves with strong authentication, how many of our mothers use their dog's name, in all lowercase, as their password on every single one of their accounts?

When we design systems that a substantial portion of our intended users can't or won't use as we intend, then the problem is us, not them.

Systems like online banking, email, ordering books and movies online, etc. . . . these are intended for the general public. As such, they must be designed for the average user to be able to use safely and easily. We cannot fall back on the premise that if the user doesn't know how, then he shouldn't be using it. That's not okay for these sorts of products and systems. It's all well and good that only the dedicated and properly instructed can play an oboe well, operate a backhoe, fly a plane. It's a different story when the system is intended for the average man-on-the-street.

Re:This will never end

[wwfarch]

Using keepass with a master password as the dog's name is FAR preferable to using the same password for all accounts. Someone cracking, or even targeting, keepass or her personally are practically nil. The chances are so small that I'd say it doesn't really matter what your keepass password is. Sure, ideally it's strong but if not, oh well.

Re:This will never end

[thecrotch]

Yeah unfortunately she's going to continue using the same password everywhere no matter what, keepass is helping her keep track of her usernames though so I guess that's something

Re:This will never end

As an avid gmail user and fan I want to praise your implementation of two-factor authentication and application specific passwords. Two factor gives me confidence to log in on nearly any computer and I love the way I can revoke individual application specific passwords.

Re:This will never end

[Transaction7]

As a retired lawyer, you bet this was a h--y s--t moment! You have no earthly idea how sensitive some of the data we deal with can be. Leaking some of it can get you disbarred. Some it can get you or your client, or a witness, etc., seriously injured or killed. Never mind who’s trying to buy what property through a straw man, my practice very unexpectedly came to involve representation of a number of child and adult survivors of incestuous rape, and some of the perpetrators were officials palmed off on us by both political parties. We traced one nasty piece of malware that got onto our two un-networked computers, a number of program disks, and a large case of data floppies, to our computer repairman whose business had got infected, and neither of our well-known commercial antivirus programs had caught it though ours did afterward, maybe from an update. My favorite security leak was when the city sold the hard drive from the police department’s computer to me for $5.00 at a public sale where I also bought some furniture. What genius replaced and sold that to a defense lawyer, or anyone else, without formatting it first, or at all? We had checked carefully one day to be sure we were locked up tight, only to return the next morning to discover our front door wide open, a new printer cartridge, much of a copier cartridge, and most of a box of paper used up, our computers out of action, and a lot of files on many of the same disks converted to what, long afterward, we learned were WordStar 4, Navy DIF, and other formats we couldn't read or write. Our printer had been disabled by switching DIP switches, etc. The police insisted we had left the door open and that all this was done by heat lightning, and refused, up front when we called, to take a report, but sent their computer man over who did get the computers but not the printer or files running. Heat lightning. Right! Another lawyer’s office called me the next business day and reported a similar burglary with nothing but maybe files taken. Five years later, after the statute of limitations had run, we got the evidence including stolen files and the highly-recommended fired employee perpetrator having taken a locksmith course, etc. Later, the office, on the first floor of an occupied office and apartment building across from City Hall, which all the people with newly changed keys swore we had all made sure was locked, was found unlocked and destroyed by what the Fire Marshal showed and told us was clearly arson set in three different rooms, etc. Our fireproof safe file was damaged and opened. Again, no sign of force. Hiring is one of the worst points of vulnerability. I read on FindLaw where the best known name partner at a certain Silicon Valley firm with clients like HP spent $68,000.00 hiring a secretary and she robbed them blind before getting caught. One of the judges here had hired a thief earlier. One of the lawyers who the worst crook I hired had given as a reference and had recommended told me after the fire, and after we discovered he had known she was a forger and thief, that they knew but that it would have been unethical for them to tell me she was a thief so they hadn’t. Wrong. The Fire Marshal told me she had engaged the “torch” who had burglarized and destroyed my office, and she and I had the only keys to the safe file, but, after showing and telling us it had clearly been arson, as if anyone couldn’t see that, he refused to put that in his report and listed it only as “of suspicious origin.” The police never talked to me and, as far as I know, never made a report on this, either. The DA insisted that it couldn’t be burglary if the door was unlocked, but, even with my office destroyed, it took me only minutes to pull the controlling Texas case that it was. Stealing a case of beer out of the open bed of the sheriff’s pickup truck is felony burglary, too, as a foolish client of mine learned. I know who did what and the obscene reason why, and

Duh. The sites themselves have no security.

[dgatwood]

When you have websites like Facebook that, by default, use unencrypted HTTP and a trivially sniffable session cookie for their authentication, there's really nothing a user can do to protect themselves. (Okay, now they offer HTTPS, but that wasn't always the case.)

The problem with HTTPS, of course, is that it is seriously heavyweight. Most content doesn't need encryption; it just needs authentication. For those sites, SSL is serious overkill.

What this really points out is the desperate need for a standard mechanism of authentication that is not based on cookies, but rather nonce-based, similar to the way digest authentication works, but integrated with web pages so it doesn't feel ugly and bolted on. Until we get that, there's really no point in users bothering to secure their accounts. Why choose a strong password when you're basically sending it back and forth on the Internet equivalent of a postcard?

Hacked

[exomondo]

These days users consider their accounts to have been 'hacked' if there is any unauthorized use, like if they leave their smartphone lying around and a friend posts a status update from it that seems to be considered being 'hacked'.

Re:Hacked

[Jibekn]

They also renamed MDMA and decided it was a good idea to consume after even the waste cases of the 80's wouldn't touch the stuff.

My point? They're not very bright.

Re:Hacked

Really? What do they call it now?

Re:Hacked

Ecstacy

Re:Hacked

I picked up your phone while you were in the bathroom poopin'. I am fuckin' leet, bro.

I totally hacked your facebook and told everyone you love the cock. Fear my evil genius.

Re:its time

[Firehed]

Define "bs free stuff". Hotmail peaked years ago, but gmail is extremely popular for good reason and yahoo is also very heavily used. And of the probably dozen or so email addresses I have, they're ALL powered by gmail (even though only one of them is actually @gmail.com). Technically two of them are paid, but that's beside the point. I've dealt with having my own mail server. It sucks. And it's not like it's the service's fault that people choose crappy passwords.

logging please!

This is happening to me right now, I keep getting notice emails from yahoo that someone's trying to reset my password. Both google and yahoo record IP's of where you logged in from, but not the IP's of who's trying to access your account (even for multiple failed attempts), so I can't figure out who's doing it! I'm tempted to backup all my emails, delete them, and reset my password to something simple, just to find their IP!

Trusted?

[ackthpt]

Hotmail? I think I block anything from there. That's spammer haven as far as I'm concerned.

Re:its time

[icebraining]

In fact Gmail now has cellphone based authentication too, which is pretty much safe unless the attacker is specifically targeting you. But people who'll use it are the same who use good passwords, so not much is gained.

trusted domains such as Gmail, Yahoo, and Hotmail

trusted domains such as Gmail, Yahoo, and Hotmail

You're kidding, right?

Re:Duh. The sites themselves have no security.

[Firehed]

Can we get past this already? SSL is not heavyweight, and has not been for years. It's a couple percent of overhead*. Most authentication systems are going to have significantly more overhead than turning on SSL, since they'll be most likely hitting the filesystem or a database to retrieve session information on top of the actual code logic that goes into authentication.

I agree that an authentication system tied more tightly into the browser would be of great value, but it won't happen anytime soon if ever. See: IE6. Hell, even Safari is updated quite infrequently (and even then mostly just security patches, not feature releases), never mind the plethora of mobile browsers floating around these days. That also solves a completely different problem than SSL. There's no getting around the fact that in order to have hijack-proof sessions, all of the authentication data - whether in the form of a session cookie or some new, novel mechanism - needs to be sent encrypted. Not necessarily SSL, but that's more or less a solved problem so why not? I also quite like the idea of nobody knowing what URLs I'm hitting.

* Excluding the time spent tracking down that one damn analytics script that's pulling in a tracking pixel over http and making browsers throw up all over the place

Won't work in the UK

http://en.wikipedia.org/wiki/Nonce_(slang)

but is a brilliant time to link to the wonderful Nonce Sense episode of Brass Eye:

http://en.wikipedia.org/wiki/Brass_Eye#Paedophilia_special_.282001.29

OK, I don't understand.

Why go to all the trouble of stealing a Yahoo account when they can be opened for free?

Re:OK, I don't understand.

[icebraining]

Trust. An email which comes from an account you've already sent email to is often not labeled as spam since it's assumed you trust it. Not to mention that some people actually believe the person sent it instead of a bot (think "Hey, check out these pics" type of spam)

Re:OK, I don't understand.

[Quirkz]

Also, your address book.

Re:Duh. The sites themselves have no security.

Nonce based? I guess you're thinking of the kids.

IT departments do it too

[shoehornjob]

I had a customer yesterday that wanted to change her email password so that it could be the same as the checking account and had me do it because she couldn't figure out the " stupid wavy letters thing" (captcha). She was bitching all the time about security requirements (numbers letters min 8 w caps) but she might as well have given me the keys to her bank account. For the most part my customers don't care about security untill someone has drained their bank account and put a bunch or fraudulent charges on the credit card. Whatever...not my problem.

MMO Accounts?

[Guppy]

I'd be interested to know some statistics regarding MMO accounts.

Like bank and money-transfer accounts, game accounts can be converted into cash. Sometimes quite a bit of cash -- prime accounts on some MMOs can be liquidated for hundreds or even thousands of dollars sometimes. But unlike "real money" services, law enforcement has little interest -- in either the criminal or the MMO company -- since in their eyes, it's just a game.

Often, the operating company itself has little interest. As an example, consider Final Fantasy XI. When reports of hackings in FFXI started, they were initially ignored by SquareEnix. Then, the company played "blame the victim", insisting account owners must have executed 3rd party cheats or visited dodgy websites -- no account recovery of any sort was possible. RMT ran amuck, and stolen accounts were all over the servers. If you were still being billed for service, sometimes your only option to stop things was to initiate a chargeback.

Things only changed once it started hitting them in the pocketbook. As FFXI aged, fewer new accounts signed on to offset the bleeding playerbase, while disputes with credit card companies soared (resulting in SE's current problems accepting credit cards -- they've been blacklisted by credit card processors). Now we've got online security that's better than most banks (like a two-factor dongle). Sure took them a while to learn the lesson, though.

Re:MMO Accounts?

[JDeane]

I used to have a World of Warcraft account, I use gmail as my primary email service. One thing that happened to me is that about 8 months after I stopped playing WoW I get a lot of weird emails overnight. the last one bothered me the most. "From the Gmail team" or something to that effect, what it boiled down to is that some one in China had accessed my email through "unknown means" and managed to get my passwords and account information for WoW then they proceeded to have like 12 demo's of WoW, I changed my gmail password to some crazy 36 long letter number soup and contacted blizzard... This has been months ago, the end result is that Blizzard pretty much says that if I wanted to play WoW in the future I would need to buy the game and the expansions I had again... Awesome customer service Blizzard! Love you too! /sarcasm

Re:MMO Accounts?

That's interesting as my own Gmail account was hacked a couple of months ago. I don't play WoW but there was a Blizzard connection. Seems my account was accessed by someone in a Korean internet Cafe. Gmail alerted me to this, and had given the accessors read only access. Nice work from Gmail team to anticipate and combat this. Had I been travelling they helpfully provided a link for me to verify the access and use it. The only strange thing in my inbox was a congratulations for opening your Battle.net account email from Blizzard.

After going through my email archive and changing any password referenced in an email (yeah, took a few hours), then contacting anyone I needed to, I got in touch with Blizzard. Now their email had no link (as many others do) to cancel the account if opened in error. I contacted their customer service to explain the situation and was rewarded with a canned response asking me to include my full account details in any further communication before a response would be given. Hard to do when the account has been opened through fraudulent use of an email account Blizzard!

After firing off a second, angrier, email, Blizzard let me know they had closed the account. But really they have made things very hard for themselves here, giving such a run around for people trying to report fraudulent account creation on Battle.net. Makes me glad I'm not a customer. A week later I received an email warning about improper use of a WoW account connected to my email. I didn't bother responding.

Re:its time

[Jibekn]

Define real, when there's ISP's http://www.mts.ca/ outsourcing their email systems to hotmail, what exactly is real?

Hacked

[stumblingmonkey]

This would've been much more interesting if you would've posted it as CmdrTaco.

Seldom used accounts get hijacked.

[FoolishOwl]

A few people I know have had email accounts hijacked by spammers. In each case, it was a purely Web-based email service, the user used a weak password, and the user didn't notice the account had been hijacked until told by others, because the user seldom used the account.

On the whole, that makes this seem like a minor nuisance, not a crisis. Remind people to use strong passwords, and consider closing disused email accounts.

Where the hell is our feedback

Most people don't know they've been hacked because there's no way to tell if the guy's got even two braincells. At the very least give us the goddamn Last Logged in IP!

Re:Where the hell is our feedback

It will never happen.

Years ago I got some spam from some dipshit, hunted down who it was, and forwarded it to various abuse@ addresses along the way. I included a cc to dipshit. Next thing I know, my hotmail account is disabled by MS. I actually talked with them on the phone. Even though I could prove I was who I said I was, they wouldn't even tell me why the account was closed "for privacy reasons." What privacy reasons? It's *my* account. Didn't matter.

So if you think they're going to hand out what might be some stranger's IP address just because they happen to be trying to hack your account, you're crazy.

Re:Duh. The sites themselves have no security.

[LordLimecat]

Im not sure that HTTPS qualifies as "seriously heavyweight". A Pentium4 processor can handle about 400mbit/sec of AES SSL-- lets assume this is the home computer. Rendering the HTML, running scripts, and handling the flash content would comprise a far bigger portion of the CPU usage than perhaps 1meg of SSL'd traffic.

On the server side, you can right now get a $250 Xeon E3 1220L, using ~20watts, which can handle ~13gbit/second of AES traffic (with the AES-NI extensions). If thats not sufficient, you can always get a second one.

Encryption is now very cheap, CPU-wise. (P4 stats taken from an actual freebsd box with 'openssl speed'; Xeon stats extrapolated from TrueCrypt and OpenSSL benchmarks on E3 series CPUs).

Original Survey?

Anyone know where the methodology and results of the original survey are? TFA seems to imply that someone's account has been "hacked" if e-mails are being sent using it as a From: address, which as all people familiar with SMTP know has no meaning whatsoever.

Re:Original Survey?

[scdeimos]

There's a link at the bottom of TFA [PDF warning] http://www.commtouch.com/download/2177, and it does talk about actually compromised email accounts from Gmail, Hotmail and the like since those providers are less likely to be blacklisted for spam/uce.

Re:Duh. The sites themselves have no security.

[Graymalkin]

The sustained data rate is not the heavyweight part, it's the heaviness of building a session. With most web services it's the transaction throughput that's important. The problem is magnified by the number of transactions needed for a single page load on modern sites.

Apple Stores

[EEPROMS]

If you want to have fun with a random facebook user visit an Apple store and it wont take long to find a machine with a facebook account still logged in. Some of the results can be very amusing

Imitation Watches at Replica Watches

[stonefoz]

Imitation Watches at Replica Watches

TOP grade Replica Watches of high quality at wholesale prices!
Join the wise shoppers to let your dreams come true.
BEST deals of imitation watches plus FREE shipping!

*PLEASE NOTE*
You are receiving this email because you or some one with your email has subscribed in our website.We have No aim of spamming and at any time if you want to stop receiving email from us,Just use the unsubscribe button At the end of the email,But you will Lose out our Special offers and Make money online news

Unsubscribe me from this list

Re:Duh. The sites themselves have no security.

A Pentium4 processor can handle about 400mbit/sec of AES SSL

No shit? That's 0.0000000667% of my slow-ass 6 Mb/s line. A throwaway calculator's processor from 20 years ago could handle that.

Re:its time

[Runaway1956]

"I've dealt with having my own mail server. It sucks."

Factor in there that most users aren't competent to set up a mail server, however insecure it might be. In fact, online mail is so very popular because most users can't even set up a mail client! Way back, when the internet was much newer, I set up Pegasus Mail for some people. (at that time, Outlook seemed to be the number one vector for virus/worm infections) They thought I was some kind of genius, based on the ability to set up a client! Had I suggested, and implemented, a server, they probably would have fallen to their knees and worshipped me, LMAO!

Oblig...

[rocketPack]

That may not be a bad start, actually...

Re:Oblig...

1, 2, 3, 4... that's the password an idiot would use on their luggage!

Re:Duh. The sites themselves have no security.

SSL is not a few percent overhead, it is a total show-stopper once you try to put any part of your content through a third-party cache. Web browsers don't want to deal with a split secure/cleartext source, even if there is no possible way for MITM jpgs to create a fatal XSS flaw.

You could just give the family jewels, um, signing key to your caching partner, and pray that they don't spill it. It's not like anybody will notice, what with all the CAs falling.

Re:Duh. The sites themselves have no security.

For websites that do dynamic content, the processing overhead of properly implemented SSL is close to trivial -- in any case it's not even near "seriously heavyweight". It is potentially more work though and the latency can be noticeable.

If you don't believe me, believe Google Adam Langley: "In order to [switch GMail to HTTPS] we had to deploy no additional machines and no special hardware." "SSL/TLS is not computationally expensive any more." -- and this was almost two years ago.His writeup also explains well the latency problems that still plague HTTPS and how to mitigate them.
Overclocking SSL

Third party websites

[DNX+Blandy]

The reason Hotmail, Gmail, Yahoo and Facebook accounts get hacked is because of the shitty third party websites like those little small "gameing" sites, they get hacked and guess what? Oh! the user has used the SAME password for for their main email accounts. If people used just 2 passwords, this would stop their primary email accounts getting compromised. 1 main password for main account, and another for the shitty freebee websites which will probably get hacked. Simple!

Re:Duh. The sites themselves have no security.

[L4t3r4lu5]

Analytics script? What's that?

http://noscript.net/ If it's not from the trusted domain, it doesn't get run. Ever.

Bad article is factually wrong or just bad?

[gsslay]

"Most users get hacked at high rates even when they do not think they are engaging in risky behavior,"

'Most users' do not get hacked. Therefore this article's very first statement is total nonsense. What the article meant to say is either;

"Users get hacked at high rates even when they do not think they are engaging in risky behavior,"

or

"Of Users who have been hacked, most do not think they are engaging in risky behavior,"

What "at high rates" means is a mystery that isn't explained in the article. There is no ratio of hacked email accounts to not-hacked email accounts quoted, so how has it been determined to be a "high rate"?

Google 2-Factor Auth

Sounds like a good time to promote Google's 2-step authentication. Awesome stuff, integrates with a token generator app on my iPhone and makes it significantly more secure without being a hassle. If you have to check your email on an untrusted computer, it doesn't matter if your password is sniffed. It would be unusable without also having the one-time use token.

Idle accounts

[ub3r+n3u7r4l1st]

Check all your accounts once in a while to look for suspicious behavior.

I have a facebook account that was hijacked by someone that I believe is going after the same girl. And then the account was being to sent lewd messages and materials. By the time I discovered it was too late. It has been four years since then and I still having trouble for reconciliation.

"Log-in with" is a major source of this problem

[forrie]

I've been hacked twice, and it's because of these websites that feature a "log in with that have code to intercept your credentials. Either the website operator does it deliberately or the site has been backed to siphon the information.

So much fun spending an afternoon deleting spammy comments from my Twitter account because of this. It won't happen again -- when I visit a site that only allows login through another provider, poof I'm outta there.

Re:"Log-in with" is a major source of this problem

[forrie]

Oh how I dislike the Slashdot comment parsing :-)

What I posted there referred to sites that have a log-in-with (Twitter, FB, etc). :-)