Report: Shadowy Russian hacker group now has 1.2B usernames, passwords


Userlevel 7
Badge +54

Sites range from "Fortune 500 companies to very small websites."

by Cyrus Farivar - Aug 5 2014
 


 
A Wisconsin security firm claims that a Russian criminal group has accumulated the largest known collection of stolen online usernames and passwords via SQL injections, according to a new report in The New York Times on Tuesday.
Hold Security, which did not immediately respond to Ars’ request for comment, apparently has 1.2 billion usernames and passwords across 420,000 sites. It declined to tell The Times which companies were affected, nor name the group specifically.
 
Full Article

17 replies

Userlevel 7
Badge +54
A little bit more information is trickling out about this now.
 
by paganinip on August 6th, 2014
 
“The hacking ring is based in a small city in south central Russia, the region flanked by Kazakhstan and Mongolia. The group includes fewer than a dozen men in their 20s who know one another personally — not just virtually. Their computer servers are thought to be in Russia.” reports the New York post.
“There is a division of labor within the gang,”“Some are writing the programming, some are stealing the data. It’s like you would imagine a small company; everyone is trying to make a living.” 
“Hackers did not just target U.S. companies, they targeted any website they could get, ranging from Fortune 500 companies to very small websites,”“And most of these sites are still vulnerable.” said Alex Holden, confirming that many of the targeted websites are still vulnerable. Mr. Holden said. "
 
http://securityaffairs.co/wordpress/wp-content/uploads/2014/08/data-breaches-2013.png
 
 
Full Article
Userlevel 7
This is where users need to practice good safety and change their password and user name on a regular basis.
Userlevel 7
Badge +54
by John Hawes on August 6, 2014
 

Website users

There is currently no way to tell if you have been affected by any of this. The owners of the affected sites are being informed and hopefully they will tell their users in turn.
Because the sites that were successfully attacked were compromised by easily-avoided vulnerabilities it's prudent to assume those sites didn't secure the data in their databases properly either. Even strong passwords are at risk if they aren't stored correctly.
That means a large, random selection of people have had their personal data compromised and the only reasonable security precaution is to assume you're one of them. We recommend that you:
  • Change your website passwords.
  • Use a unique password for each website.
  • Use two-factor authentication wherever you can.
  • Check bank and social media accounts for suspicious behaviour.

Website owners

This data haul may yet turn out to be a 'Heartbleed' moment for website owners who assume their sites are too small to be of interest to hackers.
The gang that amassed this giant data haul didn't discriminate between popular or unpopular, large or small. All that mattered was vulnerability.
Fortunately SQL injection attacks are easily defeated by simple coding practices.
If you run a website, we recommend that you:
Full Article
Userlevel 6

1.2 billion logins scooped up by CyberVor hacking crew - what you need to do

 
By John Hawes  August 6, 2014
 
Hackers have amassed a vast collection of stolen data, including 1.2 billion unique username/password pairs, by compromising over 420,000 websites using SQL injection techniques.
 
That's according to security monitoring and assessment firm Hold Security, whose past record includes work on uncovering last year's Adobe source code leak.
 
Researchers monitored the gang for over seven months, thought to be "fewer than a dozen men in their 20s who know one another personally" based in a small city in central Russia.
 
Full story
Userlevel 7
The following article is a update on 1.2B usernames, and passwords
 
(Five unanswered questions about massive Russian hacker database)
 
 
By Martyn Williams 
August 6, 2014 08:26 PM ET IDG News Service - There's still much that's unclear about Tuesday's revelation that a small group of hackers in Russia have amassed a database of 1.2 billion stolen user IDs and passwords. The company that disclosed the incident, Hold Security, didn't offer any fresh information Wednesday, but here are five questions we'd like to see answered (and a bonus one that we already know the answer to). ComputerWorld/ Full Article Here/ http://www.computerworld.com/s/article/9250213/Five_unanswered_questions_about_massive_Russian_hacker_database 
Userlevel 7
Badge +54
It looks like some security experts are beginning to seriously question the figures in this story now.
 

Don't panic: That Russian hack bombshell isn't what you think

 

News of 1.2 billion stolen Web credentials raises key questions about the data -- and the motives of the security researcher

 
By Caroline Craig August 07, 2014

 
   http://www.infoworld.com/sites/infoworld.com/files/media/image/IFW_Hacking.jpg                                                                       
 
"InfoWorld's Roger Grimes concurred, saying, "I'm not only bothered that it's from one source, but that the password database review was only done by one company; 1.2 billion is a lot of credentials and seems very high to me."
 
Another red flag: The hackers aren't trying to sell the data or use it to steal actual money. "They're using it for Twitter spam, the dark Web equivalent of boiling the bones for stock," says The Verge's Brandom. "The fact that the crew is reduced to jacking Twitter accounts suggests the data is more about quantity than quality.... No one was going to pay $120 a year just to find out if their Twitter might get hacked.""
 
Full Article
 
Userlevel 6
So, it is still unknown which websites were hacked? Am I understanding what I read correctly? They know how many usernames, passwords but  not where they were obtained from?
 
If I am understanding correctly, very good chance that the number of usernames, passwrods will increase.
 
 
Userlevel 7
Badge +56
Bruce Schneier is also telling people not to panic over this one:
https://www.schneier.com/blog/archives/2014/08/over_a_billion_.html
Userlevel 6
@ wrote:
Bruce Schneier is also telling people not to panic over this one:
https://www.schneier.com/blog/archives/2014/08/over_a_billion_.html
Makes sense, puts many minds at ease, mine included! 
 
Thank you NIc!
Userlevel 7
Badge +56
Nice quote from @ in SecurityInfoWatch:
 
"It's a difficult state of affairs for online account password security and it always has been - Heartbleed demonstrated that. Security experts can never provide fool-proof security for passwords as it just isn't possible. Whether it's through vulnerable code, falling for scams, or trusting others, you just can't guarantee password protection,” Webroot’s Senior Threat Research Analyst Tyler Moffitt says.
 
Full article.
Userlevel 7
Never a truer word said...and yet still there are those who seek one of the 'Holy Grails' of security ...the unbreakable / fool-proof password...well, good luck to them...they have got a job for life...;)
1.  Many of you are probably familiar with this.  eBay and PayPal offer a small device that is used in addition to a user id and password.  If one uses it, one has to turn it on and retrieve an ever-changing number that is pre-programmed, in order to be authenticated to access the website.  So I have two questions:  does the use of such a device help prevent hacking my accounts with eBay and PayPal?  If so, why do more companies not offer such a device?  I remember having been required to use one of these in a certain job 10 years ago to access corporate bank account info.  If the device wasn't used in a certain time period (3 months?  6 months?), it was turned off and one would have to go through the entire setup procedure with the bank again.  The device is made by Vasco.
 
2.  I would like to know whether other forum members believe that our Federal Government is or is not doing enough, itself, to intervene and stop the nonsensical proliferation of worldwide hacking.
 
Thanks.
Userlevel 7
Hi ThreatStamper
 
What you are referring to is what is called TLA or 2LA (Two Level Authentification) which whilst invariably more secure than unsername & password, so 'Yes' should improve protection on your FB & ebay accounts, nothing is fullproof and it has in fact been or is being superceeded by 3LA (yes, you geuessed it Three Level Authentification)...and there in lies the crux...continually evolving and supposedly improving technology (and threats), the cost therefore of implementing this technology, especially in the case of having a proprietary device as you have mentioned (times how many FB and/or ebay users?) and the question of how secure do you make secure...which invariably (and I will get shouted down for saying this) depends on the value of the data...which is why you very often see banks & financial institutions using this and footing the cost (which they invariably pass on to the customer somehow...but not overtly ;)) but very few other places using it.
 
I work in IT/IS and have to connect to many customers remotely over VPN, and there are very few of my customes that go into this level of security...which some may find surprising...but in the sector I work in that seems to be the norm.
 
In terms of the 2nd point; I am not a US citizien so can only answer for my country but I can say that IMHO the US Government does not have the monopoly in not doing enough in this area...if you get my drift. ;)
 
Regards
 
 
 
Baldrick
Userlevel 7
Badge +54

Thousands of .au sites p0wned and thrown to the winds

By Darren Pauli, 11 Aug 2014
 
More than two million unique login credentials for Australian internet users were stolen as part of the massive haul of 1.2 billion passwords by a Russian hacker outfit.
Earlier this month Hold Security reported that Russian hackers under the group dubbed CyberVors amassed the largest ever cache of stolen website passwords through automated and botnet-driven SQL injection attacks against horribly insecure websites.
 The hackers reportedly amassed a staggering 4.5 billion username and password combinations including many duplicates, or 1.2 billion unique pairs.
Of these, 2,285,295 compromised accounts related to email addresses ending in '.com.au' and included corresponding passwords, Alex Hold told The Register.
 
Full Article
Userlevel 7
This has to be the biggest hack to date..........the figures are mined staggering
Userlevel 7
I realize this is a bit out-dated, but I like to look at the different ways that the various media outlets cover these stories. Here's the New York Times point-of-view... as they say "All the News That's Fit to Print"
 
TECHNOLOGY
Russian Hackers Amass Over a Billion Internet Passwords
By NICOLE PERLROTH and DAVID GELLESAUG. 5, 2014
 
A Russian crime ring has amassed the largest known collection of stolen Internet credentials, including 1.2 billion user name and password combinations and more than 500 million email addresses, security researchers say.
 
The records, discovered by Hold Security, a firm in Milwaukee, include confidential material gathered from 420,000 websites, including household names, and small Internet sites. Hold Security has a history of uncovering significant hacks, including the theft last year of tens of millions of records from Adobe Systems. Read more...
Userlevel 7
Badge +54
24th November 2015  By Nate Raymond
 
                                                   http://s4.reutersmedia.net/resources/r/?m=02&d=20151124&t=2&i=1097455304&w=644&fh=&fw=&ll=&pl=&sq=&r=LYNXMPEBAN15U
 
A hacker who once advertised having access to user account information for websites like Facebook (FB.O) and Twitter (TWTR.N) has been linked through a Russian email address to the theft of a record 1.2 billion Internet credentials, the FBI said in court documents.
 
That hacker, known as "mr.grey," was identified based on data from a cybsecurity firm that announced in August 2014 that it had determined an alleged Russian crime ring was responsible for stealing information from more than 420,000 websites, the documents said.
 
The papers, made public last week by a federal court in Milwaukee, Wisconsin, provide a window into the Federal Bureau of Investigation's probe of what would amount to the largest collection of stolen user names and passwords.
 
Full Article
 

Reply