For months, there's been a steady trickle of sites getting hacked, followed by their usernames and passwords being passed around publicly on the Web. It's a real and growing problem that's just going to get worse.
Fact: People use the same password on more than one site. So let's say a list contains the username firstname.lastname@example.org with the password abcd1234. You know that username and password isn't just used on the site that's been hacked; it's incredibly common for people to have one password that they use pretty much everywhere. Because people are stupid.
Or maybe it's just that coming up with good passwords is too tough. In a relatively short time, we've gone from needing a handfull of passwords to needing them by the dozens. Think of all the logins you have. Creating unique, hard to crack passwords for all those sites is harder than a congressman from New York. So of course people re-use passwords.
In fact, research done on two of the largest password exposures (Sony's and our own here at Gawker Media) found that two thirds of people with accounts at both Sony and Gawker used the same password on both systems. Obviously, people are probably using those passwords for many other sites and services as well.
Following the Gawker password dump, a lot of places took measures to try and protect exposed users. For example, LinkedIn queried the exposed email addresses against its own account database and disabled any matches. But of course, responsible websites trying to protect users aren't the only ones running cross checks. All sorts of other people are doing the same thing with less savory purposes.
Currently, when you see a big password dump, there's not much that your average schmoe can do with it. Sure, he can manually try a few of the logins on various sites like Gmail or Facebook. But that's like finding a key in the street downtown and then going door to door in the suburbs trying it out. Without an automated tool to run the entire list against very many websites, it's an inefficient technique. And thankfully, those automated tools aren't so common that any idiot (like me!) can casually find and use one. That will change.
Today, LulzSec is just handing out gasoline. Pretty soon, somebody's going to come along with a match. Here's what hasn't happened yet, but will: