A Star Wars Galaxies fan site got hacked today and thieves stole 21,000 email addresses and 23,000 passwords. And judging from an analysis of the passwords, most of them were weak.
The site SWGalaxies.net is a fan site owned by LFNetwork, an independently owned network of LucasArts fan sites. Hackers from the group ObSec, a small hacking collective with apparent sympathies for the LulzSec and AntiSec hacktivist groups, broke into the site’s security and posted the addresses and passwords on the web. While a compromised forum login isn’t itself a big deal, the threat from this kind of smaller breach is that it can lead to further identity theft that could be devastating for individuals — particularly if they’re reusing the same passwords at other, more critical websites.
Jeff Moeller, editor of LFNetwork, said that the site that got hacked is not actively maintained any more. The fan site targets males 18 to 34 years old, and evidently none of the other UGO or IGN sites were targeted.
Identity Finder took a look at the posted passwords and found many of them were weak. In other words, they would have been easy to crack because they are short, contain dictionary words, or don’t contain special characters, numbers, or punctuation.
“It’s unfortunate,” said Todd Feinman, chief executive of Identity Finder, in an interview. “It must be so frustrating for someone to see their passwords online, given the amount of online sign-ups we have to do.”
Of the 23,389 passwords stolen, 71 percent were weak. Only 13 percent of the passwords were strong. The average password length was 7.6 characters. About 4.3 percent of the passwords were less than 5 characters, and only 4.7 percent of the passwords were more than 10 characters long.
Hacking a game web site password isn’t too big a deal. But the problem is that users often reuse their passwords on more important sites, like online banks. Studies show that 50 percent of passwords are reused.
Feinman said, “Passwords are a digital identity and password reuse is a serious problem that could lead toward identity fraud.”
One of the users had a password that was 42 characters long. That person took trouble to protect himself or herself. But since the web site stored the passwords in an unencrypted format, the password is out there for everyone to see now.