Around 10 million email addresses and passwords were recently leaked on a Russian Bitcoin forum. Many websites report about 5 million Gmail accounts the leak includes also accounts from 2 popular russian mail providers (Yandex and Mail.ru). The leak contains the following:
- ~5 million Gmail email addresses and passwords
- ~4 million Mail.ru email addresses and passwords
- ~1 million Yandex email addresses and passwords
After analyzing the leaked passwords it looks like these passwords are mostly old (around 2010 and older) and originating from various sources.
I thought it would be interesting to compare the passwords used on Russian sites, and those used on Gmail, which is predominantly English. Here are the results:
| Statistic | Gmail | Russian mail providers |
|---|---|---|
| Top 10 passwords | 123456 = 0.97% password = 0.23% 123456789 = 0.23% 12345 = 0.16% qwerty = 0.12% 12345678 = 0.11% 111111 = 0.07% 123123 = 0.06% abc123 = 0.06% 1234567 = 0.06% |
123456 = 1.84% qwerty = 1.7% 123456789 = 0.5% 111111 = 0.34% qwertyuiop = 0.24% 1234567890 = 0.2% klaster = 0.18% 1234567 = 0.17% qwe123 = 0.16% 7777777 = 0.16% |
| Top 10 base words | password = 0.36% qwerty = 0.23% love = 0.07% monkey = 0.06% dragon = 0.06% hello = 0.06% iloveyou = 0.06% qazwsx = 0.05% july = 0.05% abcd = 0.04% |
qwerty = 1.94% qwertyuiop = 0.25% klaster = 0.18% qwer = 0.17% qazwsx = 0.12% gfhjkm = 0.12% mama = 0.12% dima = 0.11% qaz2wsx = 0.11% alex = 0.1% |
| Password length | One to six characters = 22.88% One to eight characters = 65.27% More than eight characters = 34.73% |
One to six characters = 27.19% One to eight characters = 65.46% More than eight characters = 34.54% |
| Password structure | Only lowercase alpha = 40.03% Only uppercase alpha = 0.0% Only alpha = 40.03% Only numeric = 15.8% Single digit on the end = 8.04% Two digits on the end = 11.4% Three digits on the end = 6.23% |
Only lowercase alpha = 21.49% Only uppercase alpha = 0.27% Only alpha = 21.76% Only numeric = 30.99% Single digit on the end = 3.29% Two digits on the end = 5.55% Three digits on the end = 3.68% |
| Years (Top 10) | 2010 = 0.21% 2009 = 0.19% 1987 = 0.17% 2008 = 0.16% 1986 = 0.15% 1985 = 0.15% 1988 = 0.15% 1984 = 0.15% 1989 = 0.14% 2000 = 0.14% |
1987 = 0.6% 2010 = 0.57% 1988 = 0.57% 1986 = 0.56% 1991 = 0.56% 1989 = 0.56% 1990 = 0.56% 1985 = 0.54% 1992 = 0.51% 1984 = 0.49% |
The Years (Top 10) statistic clearly indicate that the passwords have been collected round about 2010 or before. It also seems that Russians seems to prefer passwords composed of numbers (check the Password structure data – Only numeric). In this case, Gmail passwords are split between Only lowercase alpha and Only alpha. So, for some (unknown to me) reason many Russians chose passwords composed of numbers (maybe they are using something like their social security number?).
Get the latest content on web security
in your inbox each week.
THE AUTHOR
