They’re not very expensive

Passwords belonging to British cabinet ministers, ambassadors and senior police officers have been traded online by Russian hackers, an investigation by The Times has found.

Email addresses and passwords used by Justine Greening, the education secretary, and Greg Clark, the business secretary, are among stolen credentials of tens of thousands of government officials that were sold or bartered on Russian-speaking hacking sites. They were later made freely available.

Two huge lists of stolen data reveal private log-in details of 1,000 British MPs and parliamentary staff, 7,000 police employees and more than 1,000 Foreign Office officials, an analysis shows — including the department’s own head of IT.

Apparently they’re £2 each. But then that’s probably about what they’re worth. Both in the sense of well, what’s going to be so exciting about their accounts and also in the sense of how tough is it going to be to guess?

Don’t forget that Harriet Harman’s log in to her WordPress site was “Harriet” “Harman”

6 comments on “They’re not very expensive

  1. “£2 each” is a bit misleading. It’s £20k for the job lot. Given how few buyers there would be, that’s probably still too high.

  2. Strictly speaking, you’re talking about the price not the value. Intellectual property. Can be sold, but the seller doesn’t lose possession of the thing being sold. So can sell it again.

    I’d imagine the e-mail addresses themselves are relatively high value. Those of high earning economically active people. Contrast with a haul of random g-mail addresses, a large proportion of which will be 14 y.o’s with 5 quid a week purchasing power, logins for pr0n sites, long forgotten spam dumps etc

  3. Log in details and passwords to what?

    This is probably some mass consumer website that got hacked. Like a photosharing site or something pretty much irrelevant. My Vivino password is pretty weak because well, I don’t care that much if someone hacks my wine ratings.

    Anything serious has 2 factor authentication. I know this because of worked on serious stuff. Even if you know someone’s password, without a hardware dongle, you aren’t getting in.

  4. Anything serious has 2 factor authentication.

    Err, not HMG side. They’ve gone away from dongles. A lot of stuff is now using SMS one-time passwords (HMRC, NCSC) but a lot of stuff is still user name and password.

    Admittedly, remote access requires some form of client-side (certificate?) authentication but if you think there are no exploitable flaws in the “Cisco Anywhere” stack …

  5. Oooh, oooh do you think that there’s a lot of hot girl-on-girl action on Justine Greening’s account

Leave a Reply

Name and email are required. Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.