Update: 14.9%, or 8,643 of the 57,819 unique e-mail addresses observed logging into Paypal, were found on Ashley madison lists. It is clear that the QuantumFilament hackers have other sources of e-mails and passwords to try on Paypal, but the Ashley Madison data, with millions of e-mail addresses and passwords, is likely being used. Users who use the same password on Ashley Madison and Paypal, and have not changed their passwords, are particularly at risk.
Original post
I was reading Andrea Peterson’s article on Ashley Madison passwords, which led me to this Ars Technica article with the top 100 passwords used on the Ashley Madison website. That inspired me to look at my data for the approximately 60,282 login attempts to Paypal, the “financial service” discussed here. From the Ars Technica article, the top 20 passwords used on Ashley Madison are:
- 123456
- 12345
- password
- DEFAULT
- 123456789
- qwerty
- 12345678
- abc123
- pussy
- 1234567
- 696969
- ashley
- fuckme
- football
- baseball
- fuckyou
- 111111
- 1234567890
- ashleymadison
- password1
If we marry (pun intended) the Ashley Madison data with the Paypal data, we get some interesting results.
Password | Ashley Madison rank | Paypal attempts rank |
---|---|---|
123456 | 1 | 1 |
12345 | 2 | 4 |
password | 3 | 3 |
DEFAULT | 4 | n/a |
123456789 | 5 | 2 |
qwerty | 6 | 6 |
12345678 | 7 | 5 |
abc123 | 8 | 15 |
pussy | 9 | 1,473 |
1234567 | 10 | 10 |
696969 | 11 | 1,592 |
ashley | 12 | 33 |
fuckme | 13 | 164 |
football | 14 | 11 |
baseball | 15 | 38 |
fuckyou | 16 | 62 |
111111 | 17 | 8 |
1234567890 | 18 | 13 |
ashleymadison | 19 | n/a |
password1 | 20 | 24 |
Now let’s examine the rest of the top 20 passwords tried against Paypal accounts by the QuantumFilament hackers (or someone using their network of hacked routers).
Password | Paypal attempts rank | Ashley Madison rank |
---|---|---|
iloveyou | 7 | 42 |
123123 | 9 | 27 |
1234 | 12 | n/a |
000000 | 14 | 30 |
654321 | 16 | 26 |
987654 | 17 | 53 |
princess | 18 | 94 |
Exigent | 19 | n/a |
hongkong | 20 | n/a |
The results don’t correlate perfectly, but it does suggest one source for the attempted Paypal logins might be the e-mail addresses and passwords of Ashley Madison users.