It seems each new bold hack attack that makes headlines is more grandiose than the next. While this week’s massive hack of more than one billion usernames and password combinations may not have had the security impact of several recent corporate network breaches, it certainly ranks at the top based on its sheer scope.
Although 1.2 billion credentials were stolen, because many people have multiple passwords and usernames it is difficult to calculate just how many users this attack affected. Still, given the fact that there are 2.9 billion internet users worldwide, the chances are you or someone you know was hacked. The fear is that based on the sheer volume of accounts that were compromised, thieves are now able to access other accounts in the future.
“There has been much commentary that many of these Russian hacked websites are still ‘vulnerable’ – truth of the matter is; they’ve been vulnerable for some time. In the hacker world, this really isn’t news. As long as businesses are more focused on making things run than making them secure, there will be a large number of insecure servers,” says Dave Frymier, CISO of Unisys.
This latest Russian attack was reportedly discovered by U.S. security firm Hold Security out of Milwaukee, which has also been credited for discovering the Adobe Systems data breach in October 2013 and the much publicized Target breach in December. According to Hold Security executives, they were able to identify a Russian cyber gang following seven month of exhaustive research. This group, which Hold Security dubbed “CyberVor”, was in possession of the largest cache of stolen data they had ever detected – more than 4.5 billion records – stolen from over 420,000 web and FTP sites, both private and commercial.
At the outset, CyberVor used the black market to secure stolen credentials from their hacker compatriots, using the information to attack e-mail providers, social media and other websites with spam, and to install malicious redirections on legitimate systems. CyberVor then decided to take another approach earlier this year by obtaining access to botnet networks through their underground black market connections.
“This sounds all too familiar: weakly secured sites, preventable vulnerabilities that aren’t patched, and automated botnets to exploit them yielding massive troves of identity data suitable for a ruthless secondary online system attacks at tremendous scale,” comments Mark Bower, Vice President of Voltage Security. “Yet more evidence the bad guys are winning big at consumers’ expense, who will foot the bill for this in the end like a hidden tax. Clearly it’s time to change the game in data-security and neutralize data-breach risks instead of paying the heavy price when sensitive data falls into the wrong hands all too easily.”
These botnets used victims’ systems to identify SQL vulnerabilities on the sites they visited. The botnet conducted possibly the largest security audit ever. Over 400,000 sites were identified to be potentially vulnerable to SQL injection flaws alone. The CyberVor gang used these vulnerabilities to steal data from these sites’ databases.
“To the best of our knowledge, they mostly focused on stealing credentials, eventually ending up with the largest cache of stolen personal information, totaling over 1.2 billion unique sets of e-mails and passwords,” reports Hold Security officials. “The CyberVor gang did not differentiate between small or large sites. They didn’t just target large companies; instead, they targeted every site that their victims visited. With hundreds of thousands sites affected, the list includes many leaders in virtually all industries across the world, as well as a multitude of small or even personal websites.”
Sami Nassar, who currently leads the digital security products for the cyber security markets at NXP Semiconductors, believes the problem of Internet security and password protection goes beyond relying on a simple combination of a username and password.