Adam Caudill

Security Leader, Researcher, Developer, Writer, & Photographer

A brief look at the latest @LulzSec release

Earlier today, the hacker collective Lulz Security released a batch of 62,156 email/password combinations from unknown sites; I decided to take a look at the data and see if there was anything to be learned from it.

So, let’s take a look at a few stats:

Total Domains: ~5,230

Top 15 Domains:

Top 15 Domains

There are over 50,000 unique passwords, but even with this many passwords, there’s still a few quite common – and very bad passwords in use:

Top Passwords

While this is a fairly small release, the LulzSec twitter stream has a number of entries like these:

There are several tweets about people accessing Facebook, Twitter, and even Amazon accounts – what’s so unfortunate here is that service providers could easily restrict accounts on lists like this to protect the users and greatly reduce the impact of these breaches.

Until people learn that password reuse is dangerous, this will keep happening.

Update: I’ve removed a link to a tweet, as the account has since been removed. The tweet said: “@LulzSec Cheers for the paypal account with £250 in it! ;)”

Adam Caudill