Password Cracking - Incidents

Incidents

On July 16, 1998, CERT reported an incident where an attacker had found 186,126 encrypted passwords. By the time they were discovered, they had already cracked 47,642 passwords.

In December 2009, a major password breach of the Rockyou.com website occurred that led to the release of 32 million passwords. The cracker then leaked the full list of the 32 million passwords (with no other identifiable information) to the internet. Passwords were stored in cleartext in the database and were extracted through a SQL Injection vulnerability. The Imperva Application Defense Center (ADC) did an analysis on the strength of the passwords.

In June 2011, NATO (North Atlantic Treaty Organization) experienced a security breach that led to the public release of first and last names, usernames, and passwords for more than 11,000 registered users of their e-bookshop. The data were leaked as part of Operation AntiSec, a movement that includes Anonymous, LulzSec, as well as other hacking groups and individuals. The aim of AntiSec is to expose personal, sensitive, and restricted information to the world, using any means necessary.

On July 11, 2011, Booz Allen Hamilton, a large American Consulting firm that does a substantial amount of work for the Pentagon, had their servers hacked by Anonymous and leaked the same day. "The leak, dubbed 'Military Meltdown Monday,' includes 90,000 logins of military personnel—including personnel from USCENTCOM, SOCOM, the Marine Corps, various Air Force facilities, Homeland Security, State Department staff, and what looks like private sector contractors." These leaked passwords wound up being hashed in Sha1, and were later decrypted and analyzed by the ADC team at Imperva, revealing that even military personnel look for shortcuts and ways around the password requirements.

On July 18, 2011, Microsoft Hotmail banned the password: "123456".