Fresh Stash of 360 Million Credentials and 1.25 Billion Email Addresses Uncovered

  • 26 February 2014
  • 4 replies
  • 7 views

Userlevel 7
Badge +54
Security experts from Hold Security say they’ve identified a total of 360 million credentials and 1.25 billion email addresses stolen and misused by cybercriminals from various companies. The massive volume of data was uncovered in the first three weeks of February and it was stolen recently.

The companies from which the information has been stolen have not been named. The security firm is still working on identifying some of the victims and alerting them since they might not be aware of the breach.

Alex Holden, Hold Security’s CISO, has told Reuters that 105 million of the credential sets are from a single attack. This information can be highly valuable for cybercriminals not only to hijack accounts, but also for targeted spam campaigns.

Hold Security has gathered the data as part of its Deep Web Monitoring services. Now, the company has launched Credentials Integrity Services to help companies assert their data integrity.

The firm has analyzed numerous data breaches that have resulted in tens or hundreds of millions of accounts becoming compromised. For instance, they’ve investigated the over 150 million credentials stolen from the systems of Adobe and the 42 million credentials taken from Cupid Media.

While in many cases, cybercriminals obtain login credentials directly from the targeted organization’s systems, they also use botnets to harvest large amounts of data. For example, researchers from Trustwave’s SpiderLabs have analyzed credential records stolen by the Pony botnet.

Over a 4-month period, the botnet has helped attackers steal over 700,000 account credentials for various services, including websites, email accounts, FTP servers, SSH and Remote Desktop services.

Whenever there’s a major data breach, the impacted company usually takes the necessary steps to ensure that their customers’ accounts are not illegally accessed. This involves resetting passwords and locking down accounts.

However, the main problem is that many people use the same credentials for multiple online accounts. This means that if the attackers obtain their credentials for a file sharing site, chances are that the same username and password can be used to access Yahoo, Gmail, Facebook, Hotmail or other accounts.

Even if the breached company resets all passwords and alerts impacted customers, it will take some time until most internauts change all their passwords, and some of them probably never do.

While many users consider that there’s no sensitive information in their email accounts, access to such an account is usually just the first step in an attack that could have serious consequences.
 
Source Article

4 replies

Userlevel 7
Hi Jasper
 
Thanks for posting...this is getting ridiculous.  There must be a market out there for people with the skills to design systems, & processes for the safeguarding of credentials, etc.  Not a week goes by without some sort of hack or leak...and these are only the ones we hear about.  How many never see the light of day.
 
You can see why banks have introduced those portable PIN-based single use credential generators just to double check the movement of money, although last week I was asked by one bank to use the system to access internet banking...extremely annoying but I suppose better security may become just that...more annoying to use. :(
 
Regards
 
 
Baldrick
Userlevel 7
Badge +56
@ wrote:
Hi Jasper
 
Thanks for posting...this is getting ridiculous.  There must be a market out there for people with the skills to design systems, & processes for the safeguarding of credentials, etc.  Not a week goes by without some sort of hack or leak...and these are only the ones we hear about.  How many never see the light of day.
 
You can see why banks have introduced those portable PIN-based single use credential generators just to double check the movement of money, although last week I was asked by one bank to use the system to access internet banking...extremely annoying but I suppose better security may become just that...more annoying to use. :(
 
Regards
 
 
Baldrick
Agreed - we need to start using two factor authentication on everything.  
Userlevel 7
Holy cow. That's incredible. 
Userlevel 7
Badge +54
I agree Nic, two factor authentication needs to be rolled out everywhere, it is worrying what is happening.

Reply