Russian gang stole 1.2 billion Net passwords
Security researchers say a Russian crime ring has pulled off the largest known theft of confidential Internet information, including 1.2 billion username and password combinations and more than 500 million email addresses.
The cyber gang injected malicious code to steal databases from at least 420,000 websites, says Alex Holden, founder and chief information security officer for Hold Security in Milwaukee, Wisc.
"It is absolutely the largest breach we've ever encountered," Holden said late Tuesday.
Most unsettling, he said, was finding his own credentials among the compromised data.
Hold Security cyber sleuths have been monitoring the cyber gang for about seven months, but only recently realized the magnitude of the gang's operation, Holden said.
"We thought at first they were run-of-the-mill spammers," he said. "But they got very good at stealing these databases."
Holden won't identify the gang, but he says his investigators know their names and locations. "The perpetrators are in Russia so not much can be done. These people are outside the law," he said.
Hold Security said it is trying to contact the victims, but most of the websites remain vulnerable. Holden would not identify the victims, but said they included the auto industry, real estate, oil companies, consulting firms, car rental businesses, hotels, computer hardware and software firms and the food industry. The gang targeted SQL databases, Holden said.
The New York Times first reported the breach Tuesday.
Word comes as hundreds of the world's computer security professionals gather here for Black Hat, a major computer-security conference.
While the breach appears to be large, it's still hard to say if it's the biggest that's ever been discovered, said Marc Maiffret, the chief technical officer at BeyondTrust, a Phoenix-based computer security company. "There's always lots of changes when the dust settles, it takes months to know" how important a breach was, he said.
If a cache of passwords this big has been found, others likely exist. "I would absolutely assume there are others," said Maiffret.
The cache of credentials was created by taking advantage of the two most common types of hacking — attacking web sites to gain access to underlying databases of customer information, as well as going after individuals and "everyday email," said Maiffret. "It's really a perfect storm" of an attack, he said.
The size of the operation shouldn't come as a surprise to anyone, Maiffret said. "In the past, when people thought of hacking, they thought of a lone teen-aged hacker sitting in the basement," he said. "But people need to realize that most hacking today is related to organized crime."
Even large companies need to acknowledge that modern-day hackers are likely "much better funded than they are," said security expert Sharon Vardi, who is the chief marketing officer of Securonix. "They are backed by millions of dollars to get the job done," he said.
Describing the breach as "easily five times the size of the Target breach," Vardi said that most organizations are not set up to defend these types of attacks. "They are not monitoring anomalies in their networks to detect these breaches quickly," he said.
Security expert Phil Lieberman, CEO of Lieberman Software, thinks the theft may be more of a warning or a veiled threat from the Russians. "I think this is a political statement rather than a security threat," he said. "I think there is a message being sent and the message is: Watch out."
The Russian government could have prevented the breach, he says. "But then the question is: Why should they? Are we such good friends that they should stop this?"
What are your views on this?
To me this signifies a hugh lapse of security on the part of the United States Goverment, Maybe if they would spend less time spying on their own people they might've caught this sooner but instead it was a small security firm in the middle of the country that actually caught this now the government.
Have you ever been the victim of a hacker?
This is kind of scary, This kind of scares me even more than the Target hacker theft of credit card information last year and my information was stolen I've been lucky so far that my info wasn't/hasn't been used by whoever stolen/bought the info
Do you change your password often?
ever since then i have been extra careful and i change my password to all my accounts that holds any personal or financial info every week.
Prior to that i only changed my password whenever i got a reminder that i should change it
It would be wise to change your password to your e-mail and any accounts which have private infomation such as Personal Infomation such as Name, Address, Phone Number ect and websites such as your Bank & Credit Card Companies since they are tied to your e-mail it would be easy to gain access to your credit card accounts and bank accounts.
Although they said that none of the information taken has been used or believe to have not yet been sold it would be wise to change them just as a percaution