A Russian hacking group has swiped over a billion usernames and passwords, linked to over half a million email addresses, from what experts have described as poorly secured databases.
The theft, the largest ever of its kind, was discovered by US-based Hold Security which says credentials were stolen from 420,000 websites.
The company’s founder and CEO, Alex Holden, told The New York Times that, unlike the majority of breaches, the gang behind what Hold Security dubs “CyberVor” have gone after a wide spectrum of sites rather than zeroing in on one large company.
Via the dark corners of the web, the hackers gained access to botnet data which revealed websites that were vulnerable to SQL injection attacks. This allowed the attackers to then visit the those sites and harvest data with their primary objective being the gathering of login credentials.
All in, the southern central Russian hackers snaffled up 4.5 billion records though many were duplicates. Overall, Hold Security estimates that the hackers got away with 542 million email addresses and 1.2 billion unique sets of usernames and passwords.
Hold Security has declined to name any of the compromised sites as many have ongoing vulnerabilities and the company has non-disclosure agreements in place, presumably with some of the Fortune 500 sites that were breached.
Hold says that the stolen credentials have not been sold on by the hackers who, instead, appear to be using them to send spam via compromised social networking accounts. This would seem to suggest that at least some of the passwords obtained were either stored in plaintext or were easily cracked.
Companies are now urged to check their systems, looking especially for susceptibility to SQL injection attacks, and this event should further act a reminder to check all aspects of security within the organisation.
Whilst vulnerable companies remain at risk from future attacks, this particular scenario seems focused on individual users who would be well advised to review all their online accounts and change passwords should they have any concerns about the security surrounding any site they are registered with.
When selecting a new password, users should choose something that is hard to guess or crack and we have ten tips to help you do just that (click here).
Commenting on the news, Mark James, security specialist at ESET, highlighted the limitations associated with the way websites authenticate users, as well as the need for companies to disclose data breaches and other security issues in a timely manner, something that unfortunately doesn’t always happen, as seen recently with CatchOfTheDay and Paddy Power:
“This massive stash of personal information has all been harvested from different locations, ranging from purchased data on the black market through to data from botnets. It has also been harvested from smaller websites where the security is possibly not so good.
We often have to submit our data to do so many seemingly simple things like register to read a newspaper online or even order some takeaway food. This data is stored on servers that could have very little security.
Organising all this data into a central repository and then using it to gain access to more systems would point to a very organised gang of thieves. This discovery highlights the need for companies to inform their users as soon as possible if they think their servers have been compromised as our only defence is using different information online.
The only real way of targeting this problem is to not use email addresses as logins. Websites should give you the opportunity to use a login name that you have full control over, rather than just using the same email address across multiple sites. Of course the usual password rules apply, do not re use the same password anywhere, make small simple changes that can be easily remembered by yourself and don’t use dictionary words in your password. Even adding one or two random characters into a dictionary word can throw a brute force word search off course.”
ProofPoint’s Mark Sparshott suggests that businesses should take some responsibility onboard, saying that many are living in a past where security through obscurity still had some merit:
“Most SMEs know they have weak security but do nothing about it because they believe that cybercriminals focus on high profile, high value ‘Targets of Choice’ who are selected specifically and pursued intently.
CyberVor blows this self-denial out of the water as the majority of those businesses breached were ‘Targets of Opportunity’ attacked by automated scripts that launched sophisticated SQL Injection, Spam and Phishing attacks against an endless list of websites and IPs without any knowledge of who they were attacking.”
My own suggestion would be that users need to think carefully about opening new accounts online, querying the company concerned along with why they need the data and how they will secure it. I’d also point out, once again, that anyone creating an online account should be careful not to reuse the same password because, once compromised, it can give an attacker access to all of their accounts. Use different login credentials for every site you visit – its what password managers were made for.