Over 1 Billion Passwords Stolen

Category: Security

Russian cybercrooks have hijacked a mother lode of 1.2 billion unique username and password credentials. The New York Times did some quick math and noted, “that’s more than the population of China!” The thieves have also amassed a list of 500 million email addresses -- so should you be worried? Read on...

Million, Billion, What's the Difference?

It's starting to get boring. Every month we see another headline warning of a data breach resulting in the theft of millions of email addresses, passwords, or credit card numbers. And now, in a scene reminiscent of Doctor Evil in an Austin Powers movie, it's BILLIONS!

But that doesn't mean you should stop paying attention. Even if many of those passwords are unenviable, those addresses can be used to make it look like their owners are blasting out spam.

Hold Security, based in Milwaukee, discovered the massive trove of ill-gotten credentials. That’s the same firm that disclosed the leak of several million Adobe users’ account information earlier this year.
One BILLION Passwords!

The thieves plundered over 420,000 Web sites belonging to Fortune 500 brands as well as mom-and-pop pages to gather so many credentials. No particular geographic area was targeted, according to Hold Security. The scope and size of the criminal ring means it must be the work of master career criminals. Right?

But according to Hold, the thieves got started only in 2011 as small-time spammers. It wasn’t until April of 2014 that their criminal activity exploded. Hold believes the penny-ante group partnered with another, unidentified hacker group that shared techniques and tools with the newcomers.

How Could This Happen?

Even if your password wasn't one of the 1.2 billion stolen by Evil Russian Hackers, you should make sure that you're using strong and asecure passwords. See my related articles Is Your Password Strong Enough?, Sync Your Passwords on Windows, Mac and Mobile, and Are Passwords Obsolete? for my tips on passwords and how to manage them.

One of the key tools that enabled such rapid growth of a criminal enterprise was botnets, according to Hold’s forensic analysis. Legions of secretly enslaved computers were commanded to do the following:

  • STEP 1: Visit Web site X
  • STEP 2: Test the site to see if it’s vulnerable to an “SQL injection” attack
  • STEP 3: If so, ATTACK and upload a malware payload that sends users’ credentials to the thieves

Outrageously simple, isn’t it? But what’s simply outrageous is that the “SQL injection” vulnerability has been well-known for many years, patches have been available nearly as long, and still hundreds of thousands of sites, large and small, remain vulnerable to it!

It’s rather breath-taking to realize how quickly cybercrooks can go from clueless newbies to record-breaking thieves. The Internet really has sped up everything to nearly the speed of light -- except, apparently, the due diligence of Webmasters.

The news media made a big deal of this discovery, of course. It then made a big deal of the fact that Hold Security apparently tried to cash in on its whistle-blowing. The security firm hastily, and rather ham-fistedly, offered to check your email address against the database of stolen ones for a small fee. It also offered a year’s subscription to its “suspicious activity monitoring service.” The mainstream media sniffed at what they perceived as unsubtle and unseemly greed.

It's a Sensation!

“Yes, I expect security firms to make money for making the Internet more secure,” wrote the Washington Post’s business columnist, Gail Sullivan, “but I am skeptical of a firm with a financial incentive in creating a panic to be the main source for a story that causes a panic.”

Excuse me, Ms. Sullivan, but how else does your employer WashPo, the Grey Lady that published a story screaming “Russian Hackers Steal More Than 1 Billion Passwords,” make their money, please? Selling papers by using sensational headlines to create a panic, perhaps? You'd think a business columnist would a bit more careful about one capitalist pot calling another capitalist kettle black.

Consider this... maybe Hold Security learned something from the way they handled the earlier Adobe password breach situation. It has to cost something to provide answers to untold thousands of people who want to know if their credentials were exposed. Charging a small fee to offset those costs, and yes, even making a profit at it, doesn't seem wrong to me. It all reminds me of the early days of the Internet, when some in academia stomped and whined about the use of the Internet for anything other than fish cams, ASCII art, and the occasional sharing of scientific research. Then and now, I think it boils down to a "Dang, why didn't *I* think of that?" scenario, cloaked in righteous indignation.

As for the stolen data, relax: the thieves seem to be using it mainly to spam on behalf of anonymous clients, not to hack anyone’s account. Still, have you changed your passwords lately?

 
Ask Your Computer or Internet Question

  (Enter your question in the box above.)

It's Guaranteed to Make You Smarter...

AskBob Updates: Boost your Internet IQ & solve computer problems.
Get your FREE Subscription!


Email:

Check out other articles in this category:



Link to this article from your site or blog. Just copy and paste from this box:

This article was posted by on 29 Aug 2014


For Fun: Buy Bob a Snickers.

Prev Article:
Geekly Update - 28 August 2014

The Top Twenty
Next Article:
NEWS FLASH: You Can't Trust Any App

Most recent comments on "Over 1 Billion Passwords Stolen"

Posted by:

PDSterling
29 Aug 2014

I understand the need for passwords on bank accounts and credit accounts, but the vast number of sites that *require* one to register is quite annoying. usually, they just want to have their marketing department write, saying, "you just bought a pair of shoes! would you like to buy more shoes?" this annoys this senior citizen on a fixed income.


Posted by:

Jim
29 Aug 2014

Bob, I have to agree 100% with your opinion of Hold Security charging a small fee to check peoples e-mail against the 'master list'. Nobody is forcing these people to use their services, it's a choice. If they can't be bothered to change their password, then pay a fee to find out. And who actually tried to cause the panic? Hold Security? or the news media by sensationalizing the news? Your comment about "the pot calling the kettle black" couldn't be more appropriate.


Posted by:

Joel Bown
29 Aug 2014

I wonder what the point of using strong passwords is all about anymore. Since stealing passwords is surely much more common than cracking them, why not just use abc rather than some impossible construction of letters, numbers, symbols and caps?


Posted by:

JP
29 Aug 2014

Just this morning I received an email from, most likely, one of those hackers or someone who bought the stolen info. I received an urgent plea for help from someone I haven't spoken with in probably 20-years, saying her family had gone to Kiev on vacation, gotten mugged, robbed of everything but their passports, etc., and the US Embassy wasn't helping any and wanted to know if they could borrow $2,300 from me. The email asked me to reply if they could count on my help and they'd send instructions on how to get the money there.


Posted by:

Rochelle
29 Aug 2014

My PWs are all secure 15-character mixes of gibberish. I have five email addresses, registered at 175 websites. Surely one of those 420,000 sites is among them. Why has none of those sites contacted me about changing my PW? I posed the same question at an old, reputable computer help forum, VirtualDr.com, also with no replies.

Has anyone else been contacted by a hacked website?


Posted by:

bb
29 Aug 2014

Sorry, count me on the side of the skeptics. Sure, "Hold Security" was invisible a year ago and more-or-less before this disclosure; the respectable Brian Krebs vouched for them (although listed as an adviser to Hold Security); they were charging $50 to check an email address (or $120, the prices changes depending on who and when you check); and Bruce Schneier calls the story "Squirrelier and Squirrelier."
I certainly can see not publishing any of the alleged 1.2B hacked accounts, but shouldn't they at least give out some of the 420,000 hacked websites? I want to check mine, but am not willing to sign up for some kind of service just to do that.
The whole story smells much more like a media attention stunt than real news.


Posted by:

Jim
29 Aug 2014

Several months ago, g mail notified me that someone in Russia was trying to access my account. I changed my password to a much stronger one as well as all my other accounts. Don't know if it was this band of thieves, but I'm glad Google sent that notice, otherwise I never would have known. Bob, thanks for your great articles keeping us informed.


Posted by:

Doc
29 Aug 2014

Bob -- And *I* remember the argument if calculators should be allowed in Stats, Chemistry and Physics classes over slide-rules. Then if they should be allowed for High School, then upper Grad school . . . .

Yep, Academia and Capitalism share much in common in how they react: "DANG! **I** should have thought about it!! It really *WAS* my idea you know!!!" On a more serious note, I'd like to underline your advice given in such Britishesque understatement:

***_CHANGE YOUR PASSWORDS!_***

There, it's been said. AND on the up side, no one needs to think "Dang! *I* should have thought about it!!", and ruin a perfectly good day, unless it's changing passwords. That's always a joy.


Posted by:

IanG
29 Aug 2014

Yes, Bob, I have changed 'some' of my passwords recently - like when eBay and PayPal requested it (and wouldn't let you log in using the old one).

But, to me, it's a real pita. I carefully (and I think, skilfully) craft a new password: one that's strong but also memorable to me - because I don't use any programs that memorize passwords for you - that is just one more action you need to take to get where you want to get to, as quickly as possible.

So I shall be continuing with my current ones, while watching and being aware of any signs of unusual activities. Thanks as always for keeping us up to speed.


Posted by:

Chuck
29 Aug 2014

Proof that it pays to change your passwords often. A lot of Russians are thugs and are hated all over the world for their devious ways, not just cybertheft. All are not thugs, but a number of Russians, many living in other countries, ruin the reputation it for the rest of population.


Posted by:

james
29 Aug 2014

Bob,

Thanks for all your insightful short stories over the years. SQL injection flaws in a website in 2014.
I wouldn't even think that was possible with all the security experts around now. IT would seem like a good idea before putting a website online for the public that it was tested for known flaws. I wonder if the i love you virus would take down a network today?

Keep up the good work and interesting viewpoint.
Thanks,
Cross site scripting


Posted by:

Bruce
29 Aug 2014

I think the point made by Joel Brown above is a good one. This excerpt from Bob's newsletter of 15th August seems to show that strong passwords aren't necessarily the answer.

"A few years ago, I met with a group of Internet professionals, all of us sporting laptops with wireless connections to the hotel's access point. On the second day of the conference, one of the attendees put up a slide showing logins and passwords from a dozen of the attendees. Needless to say, many jaws dropped open! He was running a "wifi sniffer" to spy on the internet traffic floating around in the air. Fortunately, he was a trusted colleague, and was nice enough to tell us that we were caught with our virtual pants down".


Posted by:

RandiO
29 Aug 2014

Those who are paranoidly (and criminally) inclined, it is prime time to:
*Cash out all of your savings and your bank accounts,
*Buy an island home in the some touristy resort, with your 401K plan,
*Rack up all your credit cards to the max, with the best toys money can buy,
*Fire your accountant and investment advisor, via your gmail account,
*Deface and otherwise ransack all your social media (Facebook, Tweeter) accounts,
*Contact Social Security Administration and tell them to lock your account,
*Purge yourself of all your battery operated devices,
*Cancel your ISP, mobile and TV accounts,
*Remove batteries and turn off all your computing and mobile devices, and
*Notify the IRS that all your personal and financial accounts have been hacked and otherwise hijacked because of what Bob Rankin told you.
Enjoy the remainder of your future off the grid and never having to worry about another password!


Posted by:

Odin
30 Aug 2014

Hi Bob, I was wondering why acts such as this are almost always attributed to the "Russians". Are they more intelligent, have better computers, more free time, more evil, or some other "trait" that the rest of us don't have?

EDITOR'S NOTE: I didn't use "Russian" in a metaphorical sense. That's where these particular criminals are located. My guess is that criminals in Russia don't have any particular superpowers -- rather, they understand that they can more likely get away with it there, due to complicit and corrupt government officials.


Posted by:

Susan G
30 Aug 2014

Passwords are a PITA. I use very strong long ones for any account that has email, financial data, or stores credit cards. The rest of them get a very easy one--that way I don't give up any clues if an unimportant account is hacked.


Post your Comments, Questions or Suggestions

*     *     (* = Required field)

    (Your email address will not be published)
(you may use HTML tags for style)

YES... spelling, punctuation, grammar and proper use of UPPER/lower case are important! And please limit your remarks to 3-4 paragraphs. If you want to see your comment posted, pay attention to these items.

All comments are previewed, and may be edited before posting.

NOTE: Please, post comments on this article ONLY.
If you want to ask a question click here.

Free Tech Support -- Ask Bob Rankin
RSS   Add to My Yahoo!   Feedburner Feed
Subscribe to AskBobRankin Updates: Free Newsletter
Copyright © 2005 - Bob Rankin - All Rights Reserved
Privacy Policy -- See my profile on Google.
[an error occurred while processing this directive]


Article information: AskBobRankin -- Over 1 Billion Passwords Stolen (Posted: 29 Aug 2014)
Source: http://askbobrankin.com/over_1_billion_passwords_stolen.html
Copyright © 2005 - Bob Rankin - All Rights Reserved