A relatively young Russian cyber crime ring now has illegally harvested the largest known cache of Internet identities. The collection includes 1.2 billion (yes- billion) username and password combinations and more than 500 million email addresses according to Hold Security on Aug. 5.
The records appear to have been gathered from more than 420,000 international websites using malware to penetrate security walls. One computer crime expert said that some big companies are aware that their records have been compromised. A billion people are potentially affected.
“Hackers did not just target U.S. companies, they targeted any website they could get, ranging from Fortune 500 companies to very small websites,” said Alex Holden, the founder and chief information security officer of Hold Security on August 5. “And most of these sites are still vulnerable.”
Most unsettling, he said, was finding his own credentials among the compromised data.
With the many database breaches it is increasing apparent that keeping information securely away from interested cyber thieves is a losing battle. Experts point to the Target breach in which 40 million credit card numbers and 70 million addresses, phone numbers were compromised. Last October 200 million records that included Social Security numbers and credit/banking information was stolen from Court Ventures, a company now owned by Experian.
“Companies that rely on usernames and passwords have to develop a sense of urgency about changing this,” said Avivah Litan, a security analyst at Gartner, the research firm in an interview with the NY Times. “Until they do, criminals will just keep stockpiling people’s credentials.”
Hold Security believes that most of the information is not being sold but rather used to send spam on social networks such as Twitter. The ring is collecting fees for the use of their collection. That may change should they go the more profitable route of selling data.
The hackers are known. The ring is in south central Russia, near Kazakhstan, and is composed of less than a dozen men in their early 20s. Of concern is that they only started as amateurs in 2011 and quickly they learned the skills needed to take on large companies with sophisticated cyber security systems. Holden surmises they partnered with another entity, whom he has not identified, and that may have shared hacking techniques and tools.
Since April they have used botnets, computers that have been infected with a virus that enables the hackers to control them, to extract massive amounts of critical information. By July, Holden said that the ring was able to collect 4.5 billion records. Because people used multiple email addresses Hold Security was able to determine that 1.2 billion unique records had been compromised.
The timing of the breach announcement comes as hundreds of hackers and security specialists gather in Las Vegas for the annual Black Hack security conference this week. The event attracts thousands of security vendors displaying “the newest and greatest security technologies.” Security firms take advantage of this week to release “new research” – to show their skills or simply for bragging rights. Is this a case of “timing is everything?”
“While the breach appears to be large, it's still hard to say if it's the biggest that's ever been discovered,” said Marc Maiffret, the chief technical officer at BeyondTrust, a Pheonix, Arizona-based computer security company. "There's always lots of changes when the dust settles, it takes months to know how important a breach was," he said.
If a cache of passwords this big has been found, it is likely that others exist. "I would absolutely assume there are others," Maiffret added.