Passwords used by many of Sweden's cyber elite are now available on the Internet following a hack against the Swedish Computer Society, an organization of IT professionals. Among the victims are a former security officer at Microsoft, a Symantec security expert and the director of Sweden's largest Internet bank.
The list of logins for more than 24,000 mail accounts was published Thursday afternoon on an anonymous server. Several of Sweden's major Internet forums soon linked to the list. The list contains user names, encrypted passwords and e-mail addresses.
The CEO of the Swedish Computer Society, Annica Bergman, confirmed the theft Thursday night after an emergency meeting with the board.
It is not known how long the hackers have had access to the servers and the logins.
"We're investigating. But they claim themselves they have been watching us for long," said Bergman.
Many prominent persons in the Swedish IT industry are affected. One of them is Predrag Mitrovic, the former security director of Microsoft Sweden. He says that he has worked with IT security for many years, but this is the first time that he himself has been attacked: "This is the first time my own details have been compromised."
However, he says that he does not use his Swedish Computer Society password anywhere else: "I'm a security nerd, so that password won't do them much good."
Per Hellqvist, a security expert at Symantec who is one of Sweden's most well-known writers on IT security, is on the list: "I am assuming it will be cracked," he says. He can't rule out that he might have used the same password on other Internet sites.
"I am not quite sure what password I used there, but I am sure I'll get a whacking for using a plain password."
The stolen database also includes an account registered to Ingemar Borelius, the director of the Internet bank of Sweden's largest bank, Nordea. Nordea was under heavy criticism in 2007, when it was disclosed that organized crime, by installing Trojans on computers belonging to Nordea's customers, had been able to steal at least 10 million Swedish kronor.
Ingemar Borelius says that he is not aware of having an account at the Swedish Computer Society and is not willing to make any comments.
Accounts belongings to officials of the Swedish police, the security police, the armed forces, the Swedish parliament and corporations like Astrazeneca and Ericsson have also been compromised.
All passwords in the list were encrypted. However, as the information was published on the internet, users in hacker forums began working on decrypting them. Only a few hours later, the first plain-text passwords were available on the Internet.
The stolen information also includes the e-mail addresses of the users, so there's an added risk that many e-mail accounts have been compromised, as many users have the same password for more than one site. The Swedish Computer Society recommends that all passwords be changed.
New users at the web site are assigned unique passwords at registration. However, they are advised to change them to passwords of their own choice.
On Friday, the two web sites affected, the home page of the Swedish Computer Society and a community site, were unavailable on the Web and no explanation was provided.