kpn_logo175SophosLabs: One of the largest ISPs in The Netherlands has shut down its email services after hackers posted usernames, passwords, phone numbers, addresses and more of more than 500 customers on the internet.

KPN discovered the attackers on its network January 27th, but decided not to disclose the information immediately after consulting with the Dutch government and law enforcement agencies.

Presumably this was intended to allow them to monitor the attacker and gather evidence that might be used to apprehend and prosecute them.

They announced the breach on February 8th, but suddenly today decided to suspend all email access after some customers’ information was posted on pastebin.com.

They are currently allowing customers to send outbound email, but have disabled access to customer mailboxes while they work on securing the server infrastructure.

KPN provides service to more than two million Dutch internet users and it is unclear if information was stolen about more than the 500+ already disclosed.

I have seen a lot of arguments among security researchers lately about the value of analyzing passwords that have been stolen from sites like Care2.com and Stratfor.

kpnexamplepasswords175The argument is that people’s passwords are weak because these are throwaway websites and people can’t be bothered to choose unique passwords for every site they access.

This time the passwords disclosed are for accessing private email accounts, something I would expect most of us would consider very personal and important enough to protect properly.

What did I find? The average password was 8.3 characters long and most of them abysmally weak. The shortest password was only 4 characters, while the longest (2) were 13 characters.

shutterstock_passwordlock250Password complexity isn’t really the problem in this case, rather it is not having your password database stolen to begin with.

No matter how long your password is it does you no good if it is stored in plain text and stolen by a cybercriminal.

KPN has warned its customers that they should change any passwords they might have reused on other sites like Google or Facebook.

To me, that is the real lesson here. You really *need* to use a unique password for every site you visit, or in the worst case at least for the important ones.

Complexity is nice, entropy is great, but it is all for naught if your service provider can’t hold up its end of the bargain.