Blogs

Passwords lost for 16 million email accounts

By EDRi · January 29, 2014

The German Federal Office for Online Security (BSI) revealed on 21
January 2014 that, according to information from law enforcement
agencies and research institutions, the passwords and usernames for
emails of approx 16 million users (in majority Germans) had been
compromised.

The theft was revealed in an analysis of illegal botnets. BSI said the
computer of the users whose data was stolen was likely infected with
malicious software. The authorities created a site where the users could
check if their address is included in the list of hacked addresses. BSI
advised victims to digitally clean their computer and change access to
their online profiles.

“The theft of the passwords demonstrates the importance of building
better passwords. It also shows that the networks of hijacked computers
-so called botnets- are key for serious criminal activities and fraud.
The human factor is still the weak link in IT security; it is not about
technology. Mankind is the security issue here; so, companies have to
become even better in educating and “patching” your staff,” said ENISA,

It seems that the German authorities knew about the theft already in
December 2013 but kept it quiet in order to have time to make the
“necessary preparations” as BSI President Michael Hange told Bayerischer
Rundfunk radio victims.

Yet, Justice Minister Heiko Maas, responsible for consumer protection as
well, said he was not familiar with such processes and stated that “If a
tip is received and there is even a small chance that it’s to be taken
seriously, that must be communicated quickly.”

Hackers access 16 million email accounts (21.01.2014)
http://www.thelocal.de/20140121/agency-warns-of-16-million-email-accounts-hacked-bsi-germany

BSI knew about huge data theft weeks ago (22.01.2014)
http://www.thelocal.de/20140122/authorities-knew-about-hacking-in-december

16 Million e-identities & passwords theft (22.01.2014)
http://www.enisa.europa.eu/media/news-items/news-flash-statement-re-16-million-e-identities-passwords-theft