Information security firm Hold Security says it has uncovered credentials from 360 million compromised accounts for sale on the web’s equivalent of the black market.
The US firm, whilst admitting that it does not know where the data originated from or what it can be used to access, said that the treasure trove of information could still pose serious risks to companies and users alike. This, it said, was because the pilfered credentials could include usernames and passwords which, as we all know, tend to get re-used again and again across a user’s whole portfolio of accounts, including their online banking setups.
Analysts at Hold Security uncovered the mass of credentials, believed to have been stolen recently, over the last few weeks whilst studying underground forums where stolen data was being traded. The firm, which was responsible for identifying last year’s massive Adobe breach, also uncovered a staggering 1.25 billion email addresses for sale, presumably to spammers desperate to tempt us with even more pills and potions.
Alex Holden, chief information security officer at Hold Security, told Reuters that 105 million of the records came from one source which could signify a new, massive breach, unless it is secondhand data from an already known attack, such as the one seen recently at Target Corp.
Holden’s own belief is that the cache does indeed come from breaches that are not already in the public domain which raises questions about whether the targets are either, (a) unaware that their systems have been compromised in the first place or, (b) deliberately keeping quiet about an attack.
The security firm, which gathered the data as part of its Deep Web Monitoring services, says that it will communicate with the companies involved, subject to being able to identify them.
What is known is the type of data available for sale with the compromised accounts offering up goodies such as usernames, email addresses and, it seems, unencrypted passwords too. Eeek!
The reason why so much account data is available across the darkest parts of the web seem obvious – data breaches are very much on the rise with Risk Based Security (RBS) reporting that 2013 was a record year with over 800 million records being stolen (more than double the previous record high).
Combining that trend with the average cost of a data breach, estimated to be £2.04m in 2013, according to a Symantec and Ponemon Institute report, and you begin to see why companies need to take the risk of being breached extremely seriously.
Fortunately, the Symantec report also highlighted how firms in the UK and US were able to realise the greatest reduction to the impact of a breach – costs were minimised by having a strong security posture, an effective CISO and an incident response plan.
Other factors that could help mitigate a breach, or reduce the chances of one occurring in the first place include segregating payment card data from other internal networks (it looks possible that one recent breach victim may not have done this, despite the PCI-DSS regulations), improving staff awareness (human error is often a key factor in many cases) and ensuring your systems are secure on an on-going basis.