KPN discovered the attackers on its network January 27th, but decided not to disclose the information immediately after consulting with the Dutch government and law enforcement agencies.
Presumably this was intended to allow them to monitor the attacker and gather evidence that might be used to apprehend and prosecute them.
They announced the breach on February 8th, but suddenly today decided to suspend all email access after some customers’ information was posted on pastebin.com.
They are currently allowing customers to send outbound email, but have disabled access to customer mailboxes while they work on securing the server infrastructure.
KPN provides service to more than two million Dutch internet users and it is unclear if information was stolen about more than the 500+ already disclosed.
I have seen a lot of arguments among security researchers lately about the value of analyzing passwords that have been stolen from sites like Care2.com and Stratfor.
This time the passwords disclosed are for accessing private email accounts, something I would expect most of us would consider very personal and important enough to protect properly.
What did I find? The average password was 8.3 characters long and most of them abysmally weak. The shortest password was only 4 characters, while the longest (2) were 13 characters.
No matter how long your password is it does you no good if it is stored in plain text and stolen by a cybercriminal.
KPN has warned its customers that they should change any passwords they might have reused on other sites like Google or Facebook.
To me, that is the real lesson here. You really *need* to use a unique password for every site you visit, or in the worst case at least for the important ones.
Complexity is nice, entropy is great, but it is all for naught if your service provider can’t hold up its end of the bargain.