Ipswitch Blog

Over 100,000 Stolen FTP Credentials

| September 22, 2010 | Data Breach, Secure File Transfer

Here’s another reminder for webmasters and server admins that you need to carefully protect your FTP login credentials because people are trying hard to steal them.

Last week SC Magazine wrote about a website containing over 100,000 stolen FTP login credentials.  Network security and management firm Blue Coat discovered the sensitive files, which contained username and password combinations to FTP servers located around the globe.

The really scary part of this story is that most of the compromised passwords were deemed “reasonable strong”, according to Chris Larsen, a security researcher at Blue Coat.   The breach wasn’t the result of weak passwords that were easily hacked or guessed. The credentials were stolen by an attacker who used sophisticated tools to get machine or network access, and then watched for them.

“The discovery, however, does provide an opportunity to remind webmasters that their FTP credentials should be protected and treated with as much care as banking credentials.  Try to only use them from computers that are known to be secure.  The bad guys want your login.”

Here are a few password tips to keep in mind:

  • Always use strong passwords.  Here’s a nice primer on how to create strong passwords.
  • Don’t use the same password for all your online accounts.  Sure, it’s easier, but the flipside is that if your password is hacked for one account, then the password you use for your other accounts is compromised also.
  • Change your password to sensitive accounts at least every couple of months.  That way, even if your account has been compromised, you’ve limited how long it stays that way.
  • Never leave a post-it note with your secret passwords stuck to your wall or on your desk.

How IT Pros Can Save 30 Minutes a Day

How IT Pros Can Save 30 Minutes a Day

Implementing Compliance for Data Privacy in Regulated Industries

Free Webinar: Implementing Compliance for Data Privacy in Regulated Industries

Reader Comments

  1. All of your protocol is great in concept, but who can remember all the user id’s and passwords. EVERYTHING is going this way. If you don’t have a written record somewhere, you cannot possibly keep track. Then there are the “secure” websites that require things be changed and security questions to be set up. ONE account requires the user id, password, answers to 3 security questions and possibly additional details to get you into the site. Take that times utilities, credit card accounts, accounts that accept payment online, several bank accounts, informational accounts for business practices, insurance accounts, tracking accounts, services to get business……..the list is unending and growing constantly. More and more are REQUIRING e-bills and e-statements to do online business. The list grows longer. Now add the multiple emails sent to ‘remind’ you and tell you about services. These also will bring in unwanted access to your computer. If you do not open them, then you miss legitimate business correspondence. If you do open them you could give someone access to your computer and/or get viruses and other evil invasions that could compromise ALL security you may have been so careful to protect with firewalls and virus scans, and secure business practices. The more information that goes out to protect the innocent also goes out to help the hacker/criminal. Those working to protect the innocent with new security boast about how they create this. This in turn informs the criminal of the newest ways they can hack into accounts. There is no suggestion as to HOW to protect the innocent. Just ways the innocent can TRY to and HOPE for protection by businesses that have to pay more and more for IT people to secure their sites and systems. Those IT people can be the cuprits as well. It is an incredible, growing Catch 22. What suggestions are there for the average business to protect themselves when they are REQUIRED to conduct business online in order to continue to exist in this technological world? And one more thing – when you have multiple passwords, some case sensitive, some not, and you make the mistake of using or typing in the wrong one – you are required to provide even more personal sensitive information in order to access what you already tried to protect. You run the risk of a VERY HUMAN error costing you hours of frustration while someone makes you prove who you are. Then they change everything again. I have actually had secure sites set up new account access whle they left the old “unaccessible” account untouched because I could prove who I was but could not give them the original information and they could not acces it either. So now there is a “hackable” site access sitting just waiting for disaster to strike. When IT people stop taking shortcuts and when we stop having to protect ourselves from them also, that is when it will be safe again to use the internet for business transactions. Until then, we are all as subject to criminal activity as we are walking down the street. And no account guarantees they will actually check and advise. Then we are advised, but we aren’t sure the person contacting us is legitimate either. You have great ideas, but have obvioiusly not lived in the real world of business to see how simple and useless your suggestions are.

Leave a Reply

Your email address will not be published. Required fields are marked *

Ipswitch Blog

This post was written by Ipswitch Blog

Ipswitch helps solve complex IT problems with simple solutions. The company’s software has been installed on more than 150,000 networks spanning 168 countries to monitor networks, applications and servers, and securely transfer files between systems, business partners and customers. Ipswitch was founded in 1991 and is based in Lexington, Massachusetts with offices throughout the U.S., Europe, Asia and Latin America.