15,000 Hungarian Gmail accounts and their passwords were leaked on an Estonian file-sharing website, origo.hu reports. When tested, the accounts and passwords proved correct, although the list contained previous passwords and passwords for different accounts as well. The details were stolen from the database of the Budapest Marathon Organisation (BSI).

The user who discovered the hack was a man whose Spotify account had been compromised. As a precaution for future incidents, he began to investigate how secure his other accounts were and he happened upon his email address on the Estonian website, where hackers were sharing account passwords, as well as tips and tricks on cracking various apps and websites. They were also trading the data; lists containing as many as 1 million account details were mentioned in possible deals.

It was not the Gmail accounts themselves that were hacked; the data was stolen from another website. This presents a serious issue for users who use the same name and password for several websites, since they all automatically become accessible for hackers.

According to origo.hu, users are not using secure passwords. Only 38% of them create strong passwords, and 1 out of 7 people use the same password for all of their accounts. 12% of them do not even attempt to make their passwords more complicated by using capital letters or special characters (@&#). The list on the Estonian website also contained many weak passwords, such as the name of the user, their birthday, or 12345 and the like.

According to Hungarian laws on abuse and misuse of personal information, identity fraud is punishable by prison sentence up to 2 years. This applies to criminals who commit the theft, as well as those who only use or share the information after it gets into their possession, from other sources.

In Hungary, if someone discovers a stolen database, it can be reported to the Hungarian National Authority for Data Protection and Freedom of Information (NAIH), or to the National Media and Infocommunications Authority (NMHH) when the issue is regarding a telecommunications company.

The Budapest Marathon Organisation confirmed the hack, as well as the number of leaked accounts. The attack hit the system that stores entries for races, and it most likely came from Asian IP addresses. The organisation is still investigating the degree of damage, but they do not store credit card and payment information. Upon registration, users are redirected to a secure platform to complete the transactions.

The online registration has been suspended until the security breach is fixed, and the organisation warned every runner whose information could have been involved: if they are using the same password on different accounts, they should change them immediately.

Copy editor: bm

Source: origo.hu