Over 1 Billion Passwords Stolen
Russian cybercrooks have hijacked a mother lode of 1.2 billion unique username and password credentials. The New York Times did some quick math and noted, “that’s more than the population of China!” The thieves have also amassed a list of 500 million email addresses -- so should you be worried? Read on...
Million, Billion, What's the Difference?
It's starting to get boring. Every month we see another headline warning of a data breach resulting in the theft of millions of email addresses, passwords, or credit card numbers. And now, in a scene reminiscent of Doctor Evil in an Austin Powers movie, it's BILLIONS!
But that doesn't mean you should stop paying attention. Even if many of those passwords are unenviable, those addresses can be used to make it look like their owners are blasting out spam.
Hold Security, based in Milwaukee, discovered the massive trove of ill-gotten credentials. That’s the same firm that disclosed the leak of several million Adobe users’ account information earlier this year.
The thieves plundered over 420,000 Web sites belonging to Fortune 500 brands as well as mom-and-pop pages to gather so many credentials. No particular geographic area was targeted, according to Hold Security. The scope and size of the criminal ring means it must be the work of master career criminals. Right?
But according to Hold, the thieves got started only in 2011 as small-time spammers. It wasn’t until April of 2014 that their criminal activity exploded. Hold believes the penny-ante group partnered with another, unidentified hacker group that shared techniques and tools with the newcomers.
How Could This Happen?
One of the key tools that enabled such rapid growth of a criminal enterprise was botnets, according to Hold’s forensic analysis. Legions of secretly enslaved computers were commanded to do the following:
- STEP 1: Visit Web site X
- STEP 2: Test the site to see if it’s vulnerable to an “SQL injection” attack
- STEP 3: If so, ATTACK and upload a malware payload that sends users’ credentials to the thieves
Outrageously simple, isn’t it? But what’s simply outrageous is that the “SQL injection” vulnerability has been well-known for many years, patches have been available nearly as long, and still hundreds of thousands of sites, large and small, remain vulnerable to it!
It’s rather breath-taking to realize how quickly cybercrooks can go from clueless newbies to record-breaking thieves. The Internet really has sped up everything to nearly the speed of light -- except, apparently, the due diligence of Webmasters.
The news media made a big deal of this discovery, of course. It then made a big deal of the fact that Hold Security apparently tried to cash in on its whistle-blowing. The security firm hastily, and rather ham-fistedly, offered to check your email address against the database of stolen ones for a small fee. It also offered a year’s subscription to its “suspicious activity monitoring service.” The mainstream media sniffed at what they perceived as unsubtle and unseemly greed.
It's a Sensation!
“Yes, I expect security firms to make money for making the Internet more secure,” wrote the Washington Post’s business columnist, Gail Sullivan, “but I am skeptical of a firm with a financial incentive in creating a panic to be the main source for a story that causes a panic.”
Excuse me, Ms. Sullivan, but how else does your employer WashPo, the Grey Lady that published a story screaming “Russian Hackers Steal More Than 1 Billion Passwords,” make their money, please? Selling papers by using sensational headlines to create a panic, perhaps? You'd think a business columnist would a bit more careful about one capitalist pot calling another capitalist kettle black.
Consider this... maybe Hold Security learned something from the way they handled the earlier Adobe password breach situation. It has to cost something to provide answers to untold thousands of people who want to know if their credentials were exposed. Charging a small fee to offset those costs, and yes, even making a profit at it, doesn't seem wrong to me. It all reminds me of the early days of the Internet, when some in academia stomped and whined about the use of the Internet for anything other than fish cams, ASCII art, and the occasional sharing of scientific research. Then and now, I think it boils down to a "Dang, why didn't *I* think of that?" scenario, cloaked in righteous indignation.
As for the stolen data, relax: the thieves seem to be using it mainly to spam on behalf of anonymous clients, not to hack anyone’s account. Still, have you changed your passwords lately?
This article was posted by Bob Rankin on 29 Aug 2014
|For Fun: Buy Bob a Snickers.|
Geekly Update - 28 August 2014
The Top Twenty
NEWS FLASH: You Can't Trust Any App
Post your Comments, Questions or Suggestions
Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter
Copyright © 2005 - Bob Rankin - All Rights Reserved
Article information: AskBobRankin -- Over 1 Billion Passwords Stolen (Posted: 29 Aug 2014)
Copyright © 2005 - Bob Rankin - All Rights Reserved