These accounts were hacked because users tended to reuse their logins and passwords on other sites that had no automated anti-hijacking systems (or security features), e.g. extra loading time for login attempt (i.e. time delay increases total guessing time that will hamper the hack), locking accounts for failed login attempts, token requirement, login only from certain IP addresses, mobile phone authentication code, two steps authentication, and many more.
Parking such sensitive information in unsafe sites will allow hackers to initiate Brute Force Attacks such as password-guessing attack, and the time hackers succeed in their unrestricted attempts depends on the strength of the password (you can predict the amount of time it takes to guess a password [by Gibson Research Corp.]), e.g. stronger password such as: T_*1s+pq9_1 takes approximately 1.83 years to figure out if the guessing attempt is unrestricted by the server.
Fortunately, Google does invest significant effort to ensure user accounts are not compromised. That is why I prefer not to share my Google account and password with other service providers.
However, it’s really difficult to find out what are the security features provided by service providers, e.g. Yahoo, Facebook, Blogs, Forums, etc. There is no standardization of security requirement for service providers, and thus it’s difficult to decide which sites should be avoided.
The expectation that users are the ones who should constantly increase their password strength and frequently change them is flawed. It’s very improbable to change passwords frequently and increase the complexity of passwords. Human brain is not programmed to be that “dextrous”. There should be a better way to authenticate user identity. That will be the million dollar question.
Just a thought.
- Brute force attack (by System Administration Database)
- WordPress – All in one WP security and firewall