Chapter Eleven: Hackers using Ashley Madison passwords to hack Paypal accounts?

Update: 14.9%, or 8,643 of the 57,819 unique e-mail addresses observed logging into Paypal, were found on Ashley madison lists. It is clear that the QuantumFilament hackers have other sources of e-mails and passwords to try on Paypal, but the Ashley Madison data, with millions of e-mail addresses and passwords, is likely being used. Users who use the same password on Ashley Madison and Paypal, and have not changed their passwords, are particularly at risk.

Original post

I was reading Andrea Peterson’s article on Ashley Madison passwords, which led me to this Ars Technica article with the top 100 passwords used on the Ashley Madison website. That inspired me to look at my data for the approximately 60,282 login attempts to Paypal, the “financial service” discussed here. From the Ars Technica article, the top 20 passwords used on Ashley Madison are:

  • 123456
  • 12345
  • password
  • DEFAULT
  • 123456789
  • qwerty
  • 12345678
  • abc123
  • pussy
  • 1234567
  • 696969
  • ashley
  • fuckme
  • football
  • baseball
  • fuckyou
  • 111111
  • 1234567890
  • ashleymadison
  • password1

If we marry (pun intended) the Ashley Madison data with the Paypal data, we get some interesting results.

Password Ashley Madison rank Paypal attempts rank
123456 1 1
12345 2 4
password 3 3
DEFAULT 4 n/a
123456789 5 2
qwerty 6 6
12345678 7 5
abc123 8 15
pussy 9 1,473
1234567 10 10
696969 11 1,592
ashley 12 33
fuckme 13 164
football 14 11
baseball 15 38
fuckyou 16 62
111111 17 8
1234567890 18 13
ashleymadison 19 n/a
password1 20 24

Now let’s examine the rest of the top 20 passwords tried against Paypal accounts by the QuantumFilament hackers (or someone using their network of hacked routers).

Password Paypal attempts rank Ashley Madison rank
iloveyou 7 42
123123 9 27
1234 12 n/a
000000 14 30
654321 16 26
987654 17 53
princess 18 94
Exigent 19 n/a
hongkong 20 n/a

The results don’t correlate perfectly, but it does suggest one source for the attempted Paypal logins might be the e-mail addresses and passwords of Ashley Madison users.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s