russian hackers data breach
August 7, 2014

Largest Data Breach Ever: One Billion Passwords Swiped By Russian Hackers

redOrbit Staff & Wire Reports - Your Universe Online

Russian hackers have stolen more than one billion usernames and passwords belonging to over 500 million unique email addresses in what one cybersecurity firm is calling “arguably the largest data breach known to date.”

Hold Security, a US-based firm that specializes in detecting this type of activity, revealed on Tuesday that an unnamed Russian gang of hackers had amassed more than 4.5 billion records. Most of those records are stolen credentials, and 1.2 billion appeared to be unique.

“It is absolutely the largest breach we've ever encountered,” Alex Holden, the founder and chief information security officer of the Wisconsin company, told USA Today reporters Donna Leinwand Leger, Elizabeth Weise and Jessica Guynn. “We thought at first they were run-of-the-mill spammers, but they got very good at stealing these databases.”

Most disconcerting for Holden, the writers noted, was discovering his own personal information among the thieves’ cache. He added that Hold Security is attempting to contact the affected parties, which include members of the auto industry, real estate and oil companies, computer hardware and software firms and the food industry. However, Holden declined to identify any of the victims, stating that most of their websites are still vulnerable.

The group, which the company later dubbed “CyberVor” (with “vor” being the Russian word for “thief), reportedly cracked more than 420,000 web and FTP sites along the way, the security firm said. At first, they acquired databases of stolen credentials from other hackers via the black market, and used that information to attack e-mail providers, social media, and other websites, distributing spam and installing malicious redirections on legitimate systems.

Earlier this year, they changed their approach and used the black market data they obtained to gain access to data from botnet networks – a large group of computers that have been infected by a virus and are controlled by a single system. The botnets used those systems to identify SQL vulnerabilities on the sites they visited.

“Over 400,000 sites were identified to be potentially vulnerable to SQL injection flaws alone,” the company explained in its report. “The CyberVors used these vulnerabilities to steal data from these sites’ databases. To the best of our knowledge, they mostly focused on stealing credentials, eventually ending up with the largest cache of stolen personal information, totaling over 1.2 billion unique sets of e-mails and passwords.”

According to the Wall Street Journal’s Danny Yadron, Hold Securities is offering to perform “breach notification services” for website owners to determine if they had been affected – but at a cost. Holden told Yadron that convincing other businesses to pay a fee in order to recoup the costs of verifying website ownership and “prove to them that we are the ‘good guys’… is a hard and often thankless task.”

While Holden did not state exactly how much those services would cost, BBC News went on to report that Hold Securities later posted a message on its website stating that its “breach notification service” would cost interested parties $120 per month. Their approach to the issue surprised at least one computer security expert.

“This situation is quite unusual in that the company has decided to charge for this information,” Dr. Steven Murdoch of the University College London's computer science department told BBC News. “Usually they would do an initial disclosure [of who had been affected] for free and then offer their services for a fee at a later stage.”

“The company rightly points out that there is going to be a huge amount of work to securely contact all the affected websites, but a common solution to this is to partner with a government or industry-funded organization to help with that,” he added.

Murdoch also cautioned that users should not be too quick to reset their passwords.

“Although there's a large amount of passwords involved, a lot of them could be irrelevant and many of the websites tiny,” he said. “It's not necessarily the case that a large proportion of internet users have been affected… So, there's no reason to panic now, but perhaps it's a good reminder to follow best practice of not using the same password on multiple websites, because this will not be the last time such a breach happens.”