Hacking Team: 5 Tips For Recovering From The Alleged Breach

Hacking Team, an Italian company that helps governments spy on its own citizens has apparently been hacked itself.

As the story is such big news today I’ll let you get the details elsewhere – Graham Cluley’s article is as good a place to start as any.

Brian Honan on the apparent Hacking Team breach

Instead, here are a few ideas for how the company can respond to the alleged incident:

1. Move quickly

If Hacking Team has indeed been breached then the speed with which they respond could be key to mitigating the effects.

We’ve already seen what appears to be torrents full of corporate data appear on the web and attract an undue amount of attention via social networks.

Given the sensitive nature of their business, and the even more sensitive makeup of their alleged client list, it would make sense to do whatever possible to limit any further exposure of the company’s corporate data.

Taking the website offline until it can be thoroughly checked for the point of entry – and fixed – could be a good starting point.

Hacking Team would also we well-advised to remember it has other public-facing assets on the web too, i.e. Twitter accounts which also appear to have been compromised. Taking those down, along with any other accounts on Facebook, Google or elsewhere would also be prudent until fixes are made.

2. Get help

Normally sound advice to a small company would be to employ the services of a security professional following a breach. Their particular field of expertise could prove invaluable to an organisation whose main line of business lays outside the security field.

In the case of Hacking Team, we can only assume that some top talent is already on the payroll but, given the line they operate in, I’d imagine it has friends within some pretty interesting government departments.

Time to call in some favours?

3. Own it

Telling the world you take security seriously after a breach which demonstrated that you didn’t beforehand is an increasingly lame way of doing business. Given Hacking Team’s client list, that’s not an approach that will win it much repeat business should the hack claims be true – and let’s not forget that the internet is awash with nothing more than opinion right now; I’ve seen nothing to say a breach categorically did occur.

That said, if the claims are true, Hacking Team would be well advised to own up, at least to its customers, and start working towards building their trust again.

Denials and delays never helped anyone.

4. Disclose it

Disclosure is always important after a breach, either for regulatory reasons or simply to maintain goodwill with customers current and future. In this case, if a hack did occur, Hacking Team would likely be talking to clients who already know what’s gone on. Even so, working with the authorities seems like it’s a given.

5. Ensure it doesn’t happen again

This is the big one.

If the company has been hacked once there is every chance it could be targeted again, especially given the nature of its business.

While no-one likes to think about lightning striking once, there is a real danger it could strike twice. If that is a sentiment that applies to Hacking Team, it may wish to brush off its disaster recovery plan, check its security procedures and, depending on how the alleged attack was initiated, look into some staff security training.

Even more importantly, the company may need to employ some expert negotiators if it wishes to continue attracting nation-state contracts for its services.

So there are my thoughts – can you offer Hacking Team any extra tips for coping with the apparent hack it has experienced?

image credit: Reactions to the Hacking Team breach

UK Data Breaches Up, Infosec Spending Leveling Off, Awareness Still Key

A new UK government survey, conducted by PwC in association with Infosecurity Europe, has revealed some interesting findings about data breaches with the key takeaway being the fact that the number of breaches has increased year on year.

breaches

Reversing the small decrease seen in 2014, this year’s report shows that a whopping 90% of large organisations were breached in the previous 12 months (up from 81% last year). The report clearly highlights that it is not only large companies that need to be concerned though – some 74% of smaller firms were also breached (up from 60% in 2014).

number of breaches

While the actual number of breaches per organisation has dropped from 16 to 14 for larger companies and from 6 to 4 for smaller firms, 59% of respondents expect to see more security incidents next year, something that may be explained by a reported leveling out of security spending.

Even though the cost of breaches continues to soar – large organisations among the 650 responding companies reported average losses of £1.46m to £3.14m and smaller respondents quoted average figures of £75k to £311k – many respondents reported a slowdown in the growth of security budgets.

spending

While expenditure was still expected to increase, by and large, less organisations were expecting to receive beefier budgets than the year before. Respondents from smaller firms were far more pessimistic than those from larger players with only 7% expecting additional funding in 2016.

Given the reported slowdown in security spending, it seems likely that organisations will become increasingly interested in getting the best value from their expenditure and, based upon the views garnered by this survey, that may well be in the area of staff training and awareness.

We’re huge fans of both here at BH Consulting and firm believers in their usefulness to both employees and the business as a whole. It is therefore rather disappointing to note that the survey concludes the human element to be a particular area of concern, as it has been for many years now.

awareness

While the surveyed companies reported an increase in staff awareness programs they do not appear to have got their money’s worth from them with many still citing employees as the highest area of risk within their organisation, responsible for the vast majority of breaches and other security incidents.

incidents

Three quarters of large organisations said human error caused at least one breach, up from 58% last year, while almost a third of small companies blamed staff for the same, up from 22% in 2014.

While we can probably conclude that businesses are becoming increasingly aware of the dangers of being breached – incidents are making the news more than ever before – they are continually struggling to mitigate the risks, regardless of size.

evaluate

While budgets and technical controls obviously come into play and affect an organisation’s ability to protect its digital assets, the human aspect still appears to be the area requiring the most work. Staff training and awareness programs are known to be effective but many companies do not appear to have leveraged them to their full potential.

You can read the full report here, or the executive summary here.

Majority Of Data Breach Incidents Not Reported To ICO

According to ViaSat UK, a specialist security and communications company, the number of breaches of the Data Protection Act reported to the Information Commissioner’s Office only represent a tiny proportion of the actual such incidents occurring across the UK.

I can’t say that I’m in the least bit surprised by that.

Data pulled from Freedom of Information (FOI) requests showed there were at least 13,000 thefts (a figure obtained from just 18 of the UK’s police forces) of devices potentially containing sensitive business data between March 2014 and March 2015.

Interestingly, however, the ICO was only informed of 1,089 breaches, meaning potentially thousands of cases went unreported.

Lock them up and throw away the key?

Nah, can’t do that – the Data Protection Act, as things stand, has no provision for dealing with the non-reporting of breaches, meaning we have no way of knowing what may or may not have been stolen, how many people may have been impacted or what, if any, action was taken after the devices were stolen.

Chris McIntosh, CEO, ViaSat UK, said:

We must remember that 13,000 thefts is the bare minimum: considering that not all police forces could share this information, the real figure is likely to be many times greater. As a result, thousands of individuals’ private data could well be on borrowed time.

ViaSat noted that the vast majority of the breaches that were reported to the ICO were made by public sector organisations – primarily the healthcare sector (431) and local government (129) – and very few came from the private business arena.

While statistics can tell you everything – or nothing at all – there is a suspicion that the small number of reported breaches in the private sector could signify that it is seriously under reporting the number it encounters.

McIntosh continued:

It’s clear that this discrepancy isn’t due to the ICO but the framework it has to operate in. As it stands, the ICO simply doesn’t have the tools and powers it needs to ensure that either all threats are reported, or that risk is minimised. For instance, encrypting sensitive data is now a trivial matter in terms of both cost and complexity. If encryption of personal data was made mandatory, and enforced with spot checks and suitable punishments, then the public and the ICO could have much greater confidence [are you listening Mr Cameron?] that none of the 13,000-plus stolen devices represent a threat.

Earlier this week we saw another Freedom of Information request, this time by Egress directly to the Information Commissioner’s Office, which revealed how the number of Data Protection Act breach investigations in the banking industry had risen by 183% over the last two years. Just out of interest, a FOI  request made by Egress in November 2014 showed 93% of all breaches across all sectors were caused by human error – food for thought, eh?

So, what is the solution?

McIntosh said:

The ICO’s role is to encourage best practice in data protection. While it is clear that its financial penalties are aimed at this goal, it still needs more legal and financial muscle to drive its goals. While compulsory reporting of every single potential breach could be difficult to enforce, inevitably it would give the ICO a clearer view of the problem and allow it to better mandate best practice. However, in the meantime compulsory encryption, and the power to police it, is the absolute minimum that the ICO should be granted.

Compulsory reporting, eh? What do you think? Do we need a strict and enforced policy of potential breach reporting or does the answer lie elsewhere?

Given the high levels of human fallibility that often go hand in hand with breaches I’d suggest that legal frameworks aren’t the only answer and that, in fact, businesses should be far more concerned about preventing breaches than dealing with the aftermath when one does occur (though it does of course go without saying that an incident response plan and a compliance with industry regs and legislation are essential).

Adult Friend Finder Breached, Millions Of Records Exposed

Casual dating website Adult Friend Finder, which boasts some 63 million users across the globe, has warned customers that their personal data may be at risk following what appears to be a massive leak.

The breach, which is believed to have exposed around 3.6 million or more records, is currently being investigated by police.

Compromised information is said to include usernames, email addresses, post codes, email addresses, IP addresses and details of people who have indicated they are looking for an extramarital affair.

Californian FriendFinder Networks says it is aware of the “seriousness” of the potential breach which appears to affect both current and deleted user accounts.

Given the nature of the site, and the fact that other personal details such as sexual preferences were leaked, the potential damage to affected users could be severe, as pointed out by Tripwire’s Director of Security and Product Management, Tim Erlin:

Aside from the known value of compromised personal details on the dark web, there’s certainly the potential for blackmail from this breach. If any high profile, public figures or politicians have been using Adult Friend Finder, they might consider how the details they entered there could be used against them.

Commenting on Twitter, our very own Brian Honan came to much the same conclusion:

Honan

Further details about the breach remain few and far between at the moment with the California company merely telling Channel 4 News that it “understands and fully appreciates the seriousness of the issue” and has “already begun working closely with law enforcement and have launched a comprehensive investigation with the help of leading third-party forensics expert”. The company also vowed to take the necessary action to protect its affected customers.

While the lack of further information may be frustrating, especially to anyone who has ever signed up to Adult Friend Finder, it is hardly surprising. As Erlin says:

It’s become a standard pattern to see these breach announcements with minimal details, followed by more information as investigators get involved. It’s not unusual for the scope of a breach to expand as forensics experts are engaged and gain access to data.

So what’s next if you are a victim?

While it is hardly clear-cut at the moment, the experience of one user may give some insight. Shaun Harper says he has been targeted with malware-laden emails since his details were published (you can check whether yours have been leaked here), even though he had already deleted his account and believed all of his information had been removed.

I’d suspect that in addition to infected emails and the aforementioned potential for blackmail, there is also a very strong likelihood that personal information will be sold on to companies and individuals with an interest in creating user profiles, not to mention an increase in personalised phishing emails hitting inboxes.

As Ken Westin, Senior Security Analyst at Tripwire says

The Internet has essentially become a database of You. As more data is breached, this information can be sold in underground markets and can create a very vivid profile of an individual.

Depending on the type of information that is compromised this data can be used to link aliases to other accounts via email or other shared attributes and unveil connections to accounts that were not seen until now. An example would be a politician that may have created an account using a fake name, but used a known email address for their login details, or a phone number that can be mapped back to their real identity, this is an example of how data like this can lead to further blackmail and/or extortion by a malicious actor seeking to profit from this type of information.

It is also highly likely that affected customers will see an increase in junk email over the next few weeks too – as the stolen records began to circulate on the dark web, hackers said they intend to spam compromised email addresses.

Twenty-Five Million Plus Two Reasons Not To Ignore The Data Breach Risk

A few years ago data breaches weren’t all that common or, if they were, they certainly weren’t being reported with quite the same regularity that they are now.

Nowadays, it seems like another big company is getting hit just about every week – but let us not forget that smaller breaches are also a regular occurrence too.

So what are you doing to mitigate the risk of a breach affecting your organisation?

Nothing?

Hmmm…in that case, this post is for you then as I detail just two incidents from the last week that really ought to have you sitting bolt upright, considering the various costs associated with becoming the next data breach casualty.

AT&T

Firstly, there was the news that one of the biggest mobile carriers in the US – AT&T – had been slapped hard by the Federal Communications Commission (FCC).

Between 2013 and 2014 a series of breaches at call centres in Mexico, Colombia and the Philippines led to the unauthorised disclosure of personal data, including names and Social Security numbers, of some 280,000 US customers.

The FCC’s investigation revealed that over 40 call centre employees had collectively accessed the records so that third parties could submit handset unlocking requests through AT&T’s online portal. According to an FCC official, many of the handsets in question appeared to have been stolen.

As a result of the breach the carrier – which is the second largest in the US – was ordered to hand over $25 million, the largest civil penalty ever handed out in respect of privacy and data security enforcement action.

AT&T was also ordered to file regular compliance reports to the FCC and the company also voluntarily took on the added expense of notifying all impacted customers as well as offering them a year of free credit monitoring.

But it’s not just large settlements that large companies should fear in the wake of a data breach – reputational damage can be an equally big issue.

White Lodging Services

Take White Lodging Services, for example.

The Indiana-based company provides hotel management services across 14 properties, putting it on an altogether different scale to AT&T, but its business may have been damaged just as much by the news that it has suffered a payment card breach.

Can you imagine how prospective customers must feel, knowing that the company’s point-of-sale systems were compromised between 20 March, 2013 and 16 December of the same year?

Not great, I bet, though the relatively small size of the company may have kept it out of the largest news circles.

Unfortunately for White Lodging Services, some things in the past refuse to stay there, as its systems were again compromised on 27 January this year.

The company says the latest attack is not related to the previous one and it’s hard to tell whether customers should be reassured or increasingly worried about that to be honest.

That the company’s POS systems could be compromised once is worrying but perhaps not entirely surprising, given how the likes of Target, Home Depot and Neiman Marcus have all suffered a similar fate in the recent past.

But twice?

Something is going on here and, in the absence of further information from the company or comment from law enforcement, it’s hard to say what.

In any event, I would suspect that potential customers of White Lodging Services may well have heard the news by now and may be considering their next moves and whether they may be better off staying elsewhere.

That’s not to say that the company has done anything wrong – it may just have been the unfortunate victim of a very skilled attacker (twice, no less) – but the consequences may ultimately be no less damaging than the penalty handed to AT&T.

So, again, the question is, what are you doing to mitigate the risk of a data breach – a crime not limited to the United States – affecting your firm? And do you have an incident response prepared in case the worst does happen?

PCI What? Ex-Home Depot Staff Told Friends To Use Cash Not Cards

The story behind the Home Depot breach continues to unravel bit by bit and as the pieces of the jigsaw start to fit together, the resulting picture doesn’t look pretty.

Not one bit.

According to an article in the New York Times, the situation appears to have been little more than shambolic in my opinion, with former staff and security team members telling the publication that defence mechanisms were out of date and that security response was lacking.

The timeline appears to have started around seven years ago when the company began employing Symantec antivirus 2007, only to never subsequently update it. The New York Times also reports that networks were not consistently monitored for signs of attack and that system and vulnerability scans were not only performed erratically, but were also not all-encompassing as security staff were blocked from checking certain systems, including those associated with handling customer information.

The fact that the company failed to perform even the most basic of scans on a regular basis, in conjunction with more than 12 customer information databases being outside of their remit, is alarming, if not surprising, to me at least.

Whether the company complied with payment card rules (it says it has since 2009) that mandate that such a large retailer should conduct comprehensive scans at least quarterly is unknown, as is the question of whether Home Depot employed the services of QSAs to regularly test compliance, but the allegations put forward by former employees certainly suggest the answer may be a resounding no.

In fact, things were so bad at Home Depot that employees reportedly left the company after being told by managers that the chain “sell[s] hammers” when they asked for new software and training.

Even when the company did make a positive step in 2012 by hiring a computer engineer, Ricky Joe Mitchell, to help oversee security at its 2,200 stores, things didn’t exactly go to plan – he was subsequently arrested and banged up for 4 years in a federal jail after he was found to have deliberately wiped the servers at his previous company.

Former security staff at the chain told the New York Times that their confidence in the company’s IT systems was so low that they even resorted to telling friends to avoid using credit cards to make payments, instead recommending cash as a safer alternative.

The company did react eventually though, bringing in experts from Voltage Security, but only after the Target breach was discovered. The move to roll out EMV credit card security and the deployment of encryption across company systems came too late though as the attackers had already gained entry to the systems, leading to the theft of 56 million customers’ payment cards. Such a haul eclipses the 40 million that were snaffled during the Target breach. Experts have already seen some information for sale on carder forums and the total value of the stolen data has been estimated to be worth up to $3 billion.

And, as if things couldn’t get any worse, Home Depot’s email to customers, advising them of the breach, has only just gone out, long after most of the world heard the news from other sources.

Also, as you can see, its somewhat short of useful, actionable advice:

Dear Valued Customer,

As you may have heard, on September 8, 2014, we confirmed that our payment data systems have been breached, which could potentially impact customers using payment cards at our U.S. and Canadian stores. On September 18, 2014, we confirmed that the malware used in the breach has been eliminated from our U.S. and Canadian stores and that we have completed a major payment security project that provides enhanced encryption of payment data at point of sale throughout our U.S. stores, offering significant new protection for customers. There is no evidence that debit PIN numbers were compromised or that checks were impacted. Additionally, there is no evidence that the breach has impacted stores in Mexico or customers who shopped online at HomeDepot.com.

We are offering customers who used a payment card at a Home Depot store in 2014, from April on, 12 months of free identity protection services, including credit monitoring, beginning on September 19, 2014. We apologize for the frustration and anxiety this may cause you and we thank you for your patience during this time.

For more information, please visit our website where you’ll find frequently asked questions, helpful tips, our Important Customer Notice, and information about how to take advantage of the free identity protection services, including credit monitoring. Should you have questions regarding the authenticity of this email or any additional questions over the coming days and weeks, please call 1-800-HOMEDEPOT.

We hope this information is useful and we appreciate your continued support.

The Home Depot

How do you rate Home Depot’s incident handling and response in this case?

Home Depot Investigates Breach. Slow Adoption Of Chip-And-Pin To Blame?

Another day, another breach.

This time it looks like US DIY chain Home Depot may have been compromised along with the possibility that customer credit and debit card data may have been snatched.

The possible breach was first reported by Brian Krebs who later updated his original post to suggest that the breach may extend back to April or May of this year.

The home improvement chain has subsequently revealed that it is investigating what it refers to as ‘suspicious activity’ and has also confirmed that it is working with “banking partners and law enforcement” as part of its own inquiry into what may have transpired.

Paula Drake, a U.S. spokesperson for Home Depot, said:

“I can confirm we are looking into some unusual activity and we are working with our banking partners and law enforcement to investigate. Protecting our customers’ information is something we take extremely seriously, and we are aggressively gathering facts at this point while working to protect customers If we confirm that a breach has occurred, we will make sure customers are notified immediately. Right now, for security reasons, it would be inappropriate for us to speculate further.”

Krebs, who broke the Target data breach story last year, said that the it was too early to say how many stores may have been affected but the fact that Home Depot has 2,200 outlets means that:

“This breach could be many times larger than Target, which had 40 million credit and debit cards stolen over a three-week period.”

If the breach is confirmed, Home Depot would be the latest, and possibly largest, retailer to suffer a loss of sensitive customer information, which may further alarm shoppers who are likely already concerned about the ability of large firms to keep their private data safe.

Krebs said that a number of banks became aware that the chain may have been breached after a massive new swathe of payment card data was made available on underground websites. He added that there are some indications that the alleged attackers in this case may be the same group of Russian and Ukranian hackers that were responsible for the aforementioned Target breach, as well as other high profile compromises at P.F. Chang’s and Sally Beauty. The motivation for the attack, according to Krebs, could be some sort of protest against the US and Europe in the wake of sanctions levied against Russia following its moves into Ukraine.

Whilst data theft is likely to continue within the retail industry I am of the opinion that US firms are more at risk than others right now due to the slow adoption of the chip-and-pin system in America.

Until that system is fully integrated in the US, the fact that magnetic card strips are still scanned as part of the payment process makes them an easier target at the point of sale.

Or, as Ken Westin, security analyst at Tripwire, says:

“It’s safe to say that mega retailer point-of-sale data breaches are approaching the point of an epidemic. These breaches are having a significant impact on consumer trust and many of the retailers still do not fully comprehend the scope or origin of the breaches.

Organized criminal syndicates are actively targeting U.S. retailers simply because they’ve become lucrative targets; these groups take advantage of inherent vulnerabilities in payment architectures and applications, amongst other tactics, to get into these retail chains and siphon data off undetected.

Pretty much all of these retailers have been notified of potential fraud after the fact usually by fraud analysts at financial institutions who detect stolen credit card activity. They then map the activity back to specific retailers as the common point of origin.”

Racing Post Ticked Off But Not Fined By ICO

Last year hackers breached the website of UK newspaper the Racing Post and made off with a whole heap of personal information belonging to over 677,000 customers.

The October attack saw names, addresses, dates of birth, telephone numbers and passwords exposed but the Racing post will not be fined says the Information Commissioner’s Office (ICO).

The ICO said its decision not to levy any financial penalty on the newspaper was a close one, perhaps because its security was found to have been so lax – an investigation discovered that the last penetration test was run in 2007, six years before the SQL injection attack that led to the compromise.

The attack took advantage of existing vulnerabilities in the racingpost.com website which allowed the hackers to access the company’s database of registered users.

The ICO investigation revealed that security around both the website and the customer database was lacking.

Not only had penetration testing ceased in 2007, but regular security patches had been missed since that time too.

ICO Head of Enforcement, Stephen Eckersley, said:

“There is barely a day that goes by without a company being the target of an online attack. This is the modern world and businesses and other organisations must have adequate security measures in place to keep people’s information secure.

“The Racing Post pulled up short when it came to protecting their customers’ information by failing to keep their IT systems up-to-date. This data breach should act as a warning to all businesses that poor IT security practices are providing an open invitation to your customers’ details.”

The Racing post has now signed an undertaking in which it acknowledged its previous lapses and promised it would try to do better in the future.

The Commissioner will now keep a close eye on the Racing Post which will in turn endeavour to keep its security practices current, as well as upgrade from the woefully inadequate unsalted password system it had in place for customers.

Assuming the Commissioner is content with the progress made, no fine will be imposed, saving the Racing Post a potential penalty of up to £500,000 which it could expect for a breach of the Data Protection Act.

(Personally I think this is far too lenient and I do not believe the ICO goes as far as it perhaps could to actually make organisations sit up and think about the consequences of a breach – what do you think?)

Meanwhile punters may wish to investigate the security measures employed by the online establishments they frequent following the news last month that Irish bookmaker Paddy Power was breached with the resulting loss of almost 650,000 customer records. In that case, the bookmaker took a whopping 4 years to declare the incident which one can only assume would have given the bad guys plenty of time to make use of the information in all manner of ways.

The Data Breach – It’s More When Rather Than If

So, you put on the radio (anyone still have one of those old-fashioned things?), switch on the tv, or visit your favourite news website and you see it: another data breach has snaffled all the headlines.

Reported data breaches are becoming ever more common. I say reported because I’m not convinced that they necessarily occur vastly more often than in the past, but I do think that they garner more common inches in the rags and more electrons on the interwebs than they ever did.

That said, the nature of data breaches is shifting.

Not so long ago they affected large companies. Hackers, or organised criminals as they more likely are, were targeting big business with the intention of gathering data from which they could profit in some way. It wasn’t great for those affected of course but at least we could go to bed at night and not worry about our own data falling into the wrong hands.

Nowadays of course the situation is somewhat different. Personal data is being hoovered up via data breaches, either as a side effect or by deliberate design. It’s not just hackers that are stealing that data either, but post-Snowden observations have been covered plenty well enough elsewhere.

The trend which sees the average man or woman in the street become a direct victim of the data breach is an alarming one as it potentially affects so many people.

To put things into perspective, it has emerged today that up to 27 million South Koreans may have had their personal data compromised by a gang that snaffled up website registrations from a variety of sites, including gambling sites, ringtone sites and games sites.

All in, it looks like up to 220 million records may have been stolen by around 16 people who used that info to fraudulently acquire in-game currency and other virtual items for cash.

Worse yet, breached accounts, along with the associated passwords and resident registration numbers, may have been used by third parties as part of a mortgage fraud ring. The guy behind all of this, known simply as Kim, is also said to have sold personal information on to others too.

It’s not the first time this has happened in South Korea either – in 2011 some 35 million people had their personal information exposed after a breach at Cyworld, a local social network. That figure represents almost the entire population of the country.

Whilst south Korea may not be Ireland, Britain or the US, it would still be naive to think that it couldn’t happen in one of those countries, and on a similar scale.

Because for most people it’s not so much if but when.

So what are you doing to lessen the risk of your company being the next victim of the next big data breach? How are you protecting your own personal information on your local computer? What about your online accounts, of which you likely have many? Are they all protected by unique complex passwords? Are they all trustworthy?

Hopefully you are as secure as you can be already but it is worth returning to Mr Snowden. Whatever you may think of him and the way he has leaked certain sensitive information, there is no denying the fact that he has taught us all one thing: if someone wants your data badly enough, they’ll find a way.

No More Security Through Obscurity As Hackers Snaffle 4.5 Billion Records From 420,000 Websites

A Russian hacking group has swiped over a billion usernames and passwords, linked to over half a million email addresses, from what experts have described as poorly secured databases.

The theft, the largest ever of its kind, was discovered by US-based Hold Security which says credentials were stolen from 420,000 websites.

The company’s founder and CEO, Alex Holden, told The New York Times that, unlike the majority of breaches, the gang behind what Hold Security dubs “CyberVor” have gone after a wide spectrum of sites rather than zeroing in on one large company.

Via the dark corners of the web, the hackers gained access to botnet data which revealed websites that were vulnerable to SQL injection attacks. This allowed the attackers to then visit the those sites and harvest data with their primary objective being the gathering of login credentials.

All in, the southern central Russian hackers snaffled up 4.5 billion records though many were duplicates. Overall, Hold Security estimates that the hackers got away with 542 million email addresses and 1.2 billion unique sets of usernames and passwords.

Hold Security has declined to name any of the compromised sites as many have ongoing vulnerabilities and the company has non-disclosure agreements in place, presumably with some of the Fortune 500 sites that were breached.

Hold says that the stolen credentials have not been sold on by the hackers who, instead, appear to be using them to send spam via compromised social networking accounts. This would seem to suggest that at least some of the passwords obtained were either stored in plaintext or were easily cracked.

Companies are now urged to check their systems, looking especially for susceptibility to SQL injection attacks, and this event should further act a reminder to check all aspects of security within the organisation.

Whilst vulnerable companies remain at risk from future attacks, this particular scenario seems focused on individual users who would be well advised to review all their online accounts and change passwords should they have any concerns about the security surrounding any site they are registered with.

When selecting a new password, users should choose something that is hard to guess or crack and we have ten tips to help you do just that (click here).

Commenting on the news, Mark James, security specialist at ESET, highlighted the limitations associated with the way websites authenticate users, as well as the need for companies to disclose data breaches and other security issues in a timely manner, something that unfortunately doesn’t always happen, as seen recently with CatchOfTheDay and Paddy Power:

“This massive stash of personal information has all been harvested from different locations, ranging from purchased data on the black market through to data from botnets. It has also been harvested from smaller websites where the security is possibly not so good.

We often have to submit our data to do so many seemingly simple things like register to read a newspaper online or even order some takeaway food. This data is stored on servers that could have very little security.

Organising all this data into a central repository and then using it to gain access to more systems would point to a very organised gang of thieves. This discovery highlights the need for companies to inform their users as soon as possible if they think their servers have been compromised as our only defence is using different information online.

The only real way of targeting this problem is to not use email addresses as logins. Websites should give you the opportunity to use a login name that you have full control over, rather than just using the same email address across multiple sites. Of course the usual password rules apply, do not re use the same password anywhere, make small simple changes that can be easily remembered by yourself and don’t use dictionary words in your password. Even adding one or two random characters into a dictionary word can throw a brute force word search off course.”

ProofPoint’s Mark Sparshott suggests that businesses should take some responsibility onboard, saying that many are living in a past where security through obscurity still had some merit:

“Most SMEs know they have weak security but do nothing about it because they believe that cybercriminals focus on high profile, high value ‘Targets of Choice’ who are selected specifically and pursued intently.

CyberVor blows this self-denial out of the water as the majority of those businesses breached were ‘Targets of Opportunity’ attacked by automated scripts that launched sophisticated SQL Injection, Spam and Phishing attacks against an endless list of websites and IPs without any knowledge of who they were attacking.”

My own suggestion would be that users need to think carefully about opening new accounts online, querying the company concerned along with why they need the data and how they will secure it. I’d also point out, once again, that anyone creating an online account should be careful not to reuse the same password because, once compromised, it can give an attacker access to all of their accounts. Use different login credentials for every site you visit – its what password managers were made for.