Facebook, Paypal accounts released by hackers

Source: CBC

The hacker group Lulz Security is claiming it released log-in information for 62,000 private internet accounts Thursday, including Facebook, PayPal, dating sites, Xbox Live and Twitter.

The list is mostly American accounts but includes hundreds of Canadians, including a CBC journalist from Prince Edward Island, and employees of all three levels of government, including provincial public servants in Alberta, Nova Scotia, and Prince Edward Island and at least one municipal worker in Whitehorse.

(snip)

The group's Twitter feed contains bragging from people who claim to have taken the information and logged on to people's personal sites: taking money from PayPal accounts, replacing dating site profile pictures with pornographic images, and engaging in chats using other people's Facebook accounts.

(snip)

Lulz Security, also known as LulzSec, was also in the news this week after claiming it had attacked the websites of the CIA and the U.S. Senate. It had previously taken credit for hacking into the systems of Sony and Nintendo and for posting a fake story about dead rapper Tupac Shakur on the PBS website after the public television broadcaster aired a documentary seen as critical of WikiLeaks founder Julian Assange.

Read more: http://www.cbc.ca/news/canada/prince-edward-island/story/2011/06/17/pei-lulzsec-personal-internet-accounts-584.html

If you defend them, then you may change your tune when they hack into your personal information.

Maybe people shouldn't put information on the intertubes if they don't want it read.

I hope they spend long years in jail for being so awesome.

Were did they take it?

If that is the case then, google stole my house and posted it on the internet with their google earth app.

Pretty hard to argue that that isn't, but you're welcome to try.

I didn't see it. Is that in another article?

edit: clarify that I'm talking about Lulzsec.

The group's Twitter feed contains bragging from people who claim to have taken the information and logged on to people's personal sites: taking money from PayPal accounts, replacing dating site profile pictures with pornographic images, and engaging in chats using other people's Facebook accounts.

out of Paypal accounts...They had my support until they began attacking people who have literally done nothing wrong at all. Defending them says a lot about who you are.

The people who published the trivial passwords, or the people who used the accounts?

I support harassing the powerful & those institutions who are screwing up our Democracy...But to go after every day people is something I can't support. How can this be defended? Why are people here on DU defending such behavior? I bet it won't be funny if it happens to them.

A picture of your house isn’t theft. If you have it under a big tent and someone sneaks into the tent to take a picture, it could possibly be an invasion of privacy. They stole personal information, account numbers and passwords, as well as money. That’s theft. If you think you’re immune, you’re kidding yourself. The fact that you are using a computer right now is exposing yourself. That little star by your name tells me you donated to DU (unless someone donated in your name). Did you send them a check or did you do it online?

The fact that you support them makes me question your ethics.

If they hack into my account, they can transfer money to their account. That's theft. Plain and simple.

Theft does not imply any physical location. So "where" isn't an issue.

"Maybe people shouldn't put information on the intertubes if they don't want it read."

That information is intended to be private, like the inside of your bathroom when you're in it.
It's like you're saying that you are fine if someone had secret cameras in every bathroom you've ever been in. Because you wouldn't expose yourself like that if you didn't want to be seen.

take money, transfer it from my account to yours without my permission, that also is theft. They took the money from paypal accounts and transferred it to theirs. It IS theft.

it's stealing information from a server. The information isn't theirs, and therefore, that equals theft.

It's nowhere near the same as taking a picture of your house. Instead, it would be like somebody stealing your mail and running away.

But then thieves think all people are also thieves.

Did you even read the OP? They are stealing money from people!

Maybe you didn't read the article about them stealing money? I am giving you the benefit of the doubt here as I don't know how you could think that was "totally awesome".

Everybody uses the internet nowadays to do transactions. It's so much easier and more efficient than the old ways.

These hackers are criminals that hack just because they can.

Good luck putting THAT genie back in the bottle.

The list shows that the most common password is 123456, which shows up almost 600 times. Another very common password is "romance."

My best guess is about half the passwords in the USA are the names of the persons' pets. And many people use the same password across multiple, if not all, of their accounts meaning that if one account is compromised then all the rest are too.

Guess how many folks have "banking" as a password for a different kind of site.

So I'm totally secure: My password is 654321! Take that! ;)

I've seen the list and checked it for my data, which of course, doesn't show up. A little bit more internet savvyness could work magic for some people. And if there's something yu don't want to have out there, write the thing in a journal and lock it in a drawer.

I thought of using that but elected to use fuckoffyou****

nothing is secure online

"...after the public television broadcaster aired a documentary seen as critical of WikiLeaks founder Julian Assange."

I'm sure Julian is happy to have their support.

group trying to make people scream for more security or laws so that Anonymous would be prosecuted? Why would a group of hackers expose regular peoples information unless they have an agenda? It would make sense if they did it secretly to sell the info - but this makes no sense. It doesn't expose anyone or anything, just messes up a lot of regular peoples lives.

They do it for the lulz.

There's a certain edge of cruelty in what they do -- but more than anything else they're angry at society, angry at people who let themselves be taken advantage of, and angry at the vultures who exploit those who don't know better.

Even if you don't think of yourself personally as a sheep, you could be vulnerable. Suppose, for example, you're using the same username and password at DU as at a number of other sites -- and somebody hacks just one of those other sites and uses your personal information to post here under your name, alienate all your friends, link to porn sites, and put up terroristic threats that get the FBI after you.

That may sound hypothetical, but it could happen -- when Andrew Breitbart runs out of actual public figures, he's going to have to come after people like us, after all. And our best defense against it is if all of us upgrade our personal security right now, make sure we have a different password for every site, and encourage the sites where we're registered to upgrade their own data encryption policies as well.

That's the message LulzSec is trying to get out -- and it's one we need to hear.

Don't try to pass this off as some type of "crusade". They're punks and I hope they all go to prison.

They're angry at society? Fuck them. Let them come out of the closet and introduce themselves to someone who just got hacked in time for the fucking weekend. They'll find out how "society" feels about them. They're assholes that are too afraid of real attention, so this is what they do. Take advantage of innocent strangers for fun.

Angry. Seriously...wtf?

I don't know what happened to them recently, but IIRC most of their actions until the very recent past have been "hey, we hacked in, here's how we did it, this is what we were able to take, here's how you fix it". Our own government has actually hired people who have done exactly that in the past, and it's clear we didn't actually learn anything, because LulzSec took out CIA.gov with a relatively simple packet flood. At least one of their recent targets was keeping the usernames AND PASSWORDS in a plain-text file. That's the worst possible "security" practice.

I don't know what went on recently, but it sounds like there are some new members that aren't as ethical as past members have been.

He finds an open one and robs the house. He is really doing you a favor and we need to hear his message.

Criminals excusing criminals.

According to the article, they published usernames and passwords. That's not the same as doing something with those usernames and passwords.

They hacked the sites. They should be held as accomplices in any crime or resulting loss.

Funny how some around here think that they are servers of the public good.

The PayPal thing does bother me, but on the other hand, no website would actually advertise how insecure their passwords are. One story I heard in a podcast yesterday (I think it was Tech News Today on the TWiT network) revealed that one of the sites LulzSec hacked was actually storing the usernames and passwords in a plain-text file, unencrypted.

When they hack into a sote, take the usernames and passwords, publish the fact, along with how they did it.... well, if they're not selling that information and not actually stealing money (like they did with PayPal) or other things, it does help button up security.

I mean, seriously- wouldn't you be concerned if, say, DU was holding your account information in a woefully insecure manner? No encryption, no shadowing of passwords, nothing but plain text? I would certainly want that changed, but it won't happen in most places (especially companies that think they don't need to spend on an IT budget) until the site is compromised.

Take the Sony PSN hack, for example, I know I would have been pissed off if I couldn't play Portal 2 until a month or more after the release because someone brought down PSN; on the other hand, Sony was knowingly keeping that information behind an old, unpatched version of Apache running without a firewall. That's a compromise waiting to happen, Sony knew about it and did nothing..... until.

If that had never happened and PSN had never been attacked, we would still be in the dark about the poorly secured information, and someone else could have come along and done more damage yet. The hack forced Sony to seriously change how they store that information and I don't think the same kind of hack could happen again.

I'm not exactly apologizing for grey- and black-hat hackers here, but this is a useful function such have always served. And really, if we're going to prosecute even white-hats who do this to demonstrate a site's or service's insecurity, is it any wonder their hats change color?

LulzSec does it for the "lulz," meaning that they want to cause as much havoc and destruction as possible for their own personal satisfaction. It's very sociopathic.

They do not have any goal or reason other than to cause anguish. This is how they get their laughs. They are committed and effective trolls that go beyond conventional methods - they want to actually hurt people in real life (example: posting seizure inducing GIFs on an epilepsy forum).

http://howsecureismypassword.net/ (Yes, it's secure.)

It's always best to stay on the safe side and use a very, very random combination of low/upper case letters and numbers like 'OnMrTzu81Kqrm00eWgz3' Yes, it's a bitch to remember, so write it down safely somewhere, besides, once entered, most browsers will remember it until you clear all cookies (which, of course, you should do as well.) Phishers and hackers will gnaw their teeth off on these.

Or use your famous quote. The longer, the better.Just don't use '123test.'

Mythological Deities coupled with important dates make for difficult (but obviously not impossible) passwords.

According to the site Minerva1812 would take about 6 thousand years to crack.

And Bonus there are literally thousands of mythological deities.

1. Used a dictionary word, bad.
2. Mixed case, good.
3. Did not mix in non-characters, bad.
4. Over 8 characters, good.

...But 6 thousand years? No. It's far too short and simple.

One of my passwords is something like V89YN#$'>@. Another is something like wiomyshpmpm. It says the first could be cracked in about a day, and the second in about 169 days, yet every other website I've ever used says that the second is the weaker, and the first the stronger.

It just makes me wonder how password security is being measured across sites.

Dicking other people over this way is sociopathic. If they were trying to illustrate security flaws, as some people here have claimed, then they'd have contacted the sites and/or users, rather than posting the information for the whole world to take advantage of.