Russian Hackers Have Stolen Over A Billion Internet Passwords

Russian Hackers Have Stolen Over A Billion Internet Passwords

Binary graphic

The security firm who discovered the breach has chosen not to name the victims, due to nondisclosure agreements and companies whose sites remain vulnerable.

The New York Times reported yesterday that a Russian crime ring had amassed the largest collection of stolen digital information- including 1.2 billion username and password combinations and more than 500 million email addresses. Hold Security, a firm in Milwaukee that discovered the breach, said that the confidential material had been gathered from 420,000 websites. Those domains range from household names to small internet sites.

"Hackers did not just target U.S. companies, they targeted any website they could get, ranging from Fortune 500 companies to very small websites," said Alex Holden, founder and chief information security officer of Hold Security. "And most of these sites are still vulnerable."

Holden noted that because Russian websites had also fallen victim to the attack, he felt there was no connection between the hackers and the Russian government. He also said he intended to notify the local law enforcement of the attack- despite that the Russian government has generally neglected to pursue accused hackers in the past.

The hacking ring is based in a small city in south central Russia. They began as amateur spammers in 2011- buying stolen databases of personal information from the black market. Using botnets (networks of computers infected with a computer virus), they were able to capture credentials on a large scale. The group includes fewer than a dozen men in their 20's who know one another personally as well as virtually, and their servers are also thought to be in Russia.

There is growing concern among the security community that preventing personal information theft is becoming a losing battle. Last December, 40 million credit card numbers and 70 million addresses, phone numbers and other bits of personal information were stolen from Target by hackers in eastern Europe. Just last month, the European Central Bank was breached by hackers and the personal data of their customers was held for ransom.

Let us know your thoughts by commenting below.

Source: The New York Times

Permalink

This is usually fairly interesting to discover, despite mandating a new password for security's sake. Is it known if any fraud has been perpetrated using the stolen information? I doubt many websites would store credit card info after the big kerfuffle last year.

Fortunately for me, I keep one step ahead of thieves like this. Can't steal any money from me if I have none!

Scorekeeper:
This is usually fairly interesting to discover, despite mandating a new password for security's sake. Is it known if any fraud has been perpetrated using the stolen information? I doubt many websites would store credit card info after the big kerfuffle last year.

Yeah, because places like Amazon, and Ebay TOTALLY don't have your info saved for convenience EVERY TIME you want to make a purchase. Nor does Steam (Though with Steam it is more of an option)

So based on the article it seems like the firm was able to pinpoint the exact people involved. Seeing as they know how many there are, their ages, and what town they live in. Am I the only one that finds it ridiculous that we can't bring them to justice just because the Russian government doesn't care?

Mortis Nuncius:
Fortunately for me, I keep one step ahead of thieves like this. Can't steal any money from me if I have none!

Same here, and combine that with possibly have little to no good credit, I'm completely worthless to them!
Hooray crippling poverty! :D

The age of the password seriously needs to come to an end. It's reached a point now where if your password is anything you can actually remember, it's not secure enough. And you need upper case letters and numbers and special characters and it can't be a an actual word and it can't be anything you've used in the last 20 years and of course don't use the same password make sure each site is a different password and oh yeah, you'll have to change it to a new one every other day.

It's become absurd.

So now everyone keeps a list of passwords on a sticky note on their computer monitor, and how is that secure, exactly?

Why don't we have iris scanners yet?

RonHiler:
The age of the password seriously needs to come to an end. It's reached a point now where if your password is anything you can actually remember, it's not secure enough. And you need upper case letters and numbers and special characters and it can't be a an actual word and it can't be anything you've used in the last 20 years and of course don't use the same password make sure each site is a different password and oh yeah, you'll have to change it to a new one every other day.

It's become absurd.

So now everyone keeps a list of passwords on a sticky note on their computer monitor, and how is that secure, exactly?

Why don't we have iris scanners yet?

agreed, password security is laughable these days because a lot don't realize just how serious good password management is to keep up with. the trouble is, what form of security can be developed that can't be beaten with enough dedication? finger print scanners = dusting for prints. iris scanners, bit more secure, but more expensive and inconvenient for the moment, potentially beaten by images. and with how companies save our data so much, it becomes impossible to protect on your own.

Good security is 3 things: what you are, what you have, and what you know. and right now we rely WAY too much on only "what we know"

Mortis Nuncius:
Fortunately for me, I keep one step ahead of thieves like this. Can't steal any money from me if I have none!

This. I have 3 cents in my bank account - 3 CENTS! They can try and take my tres pennies but this would not be the first time I've dealt with banking errors and would likely not be the last.

Holden Security has plans that users have to subscribe to a paid service in order to verify whether their email etc. is on that list or not: http://www.computerbase.de/2014-08/raetsel-um-diebstahl-von-1.2-milliarden-account-daten/
That will cost 10 dollar a month or 120 dollar a year.

So Russian hackers are supposed to be responsible but a US based company is basically selling you your own data... sketchy.

Remind me when the world decides it;s had enough of Russia's shit, after the whole Malaysia incident I'm not even sure what they do for the world anymore, the hacking, killing and pirating they do doesn't really make them look like a civilised country at all, also adding the refusal to co-operate with the space station, Russia just seems incredibly backwards while still grasping onto communism like it will somehow pull through, the truth is it won't.

People laughed when I said that East Europe would be the Next Big Thing in terms of technological achievement, and yet here we are.

Now, if only the achievements weren't so disreputable...

Pffft, I'm insured, and my bank will halt any transaction that looks suspicious. No joke. If they see someone pulling something in the wrong country with my account, it'll freeze faster than water in a liquid nitrogen parade.

We should bring back the medieval punishment system for hackers and people who steal credit card info and cut their hands off

RonHiler:
The age of the password seriously needs to come to an end. It's reached a point now where if your password is anything you can actually remember, it's not secure enough. And you need upper case letters and numbers and special characters and it can't be a an actual word and it can't be anything you've used in the last 20 years and of course don't use the same password make sure each site is a different password and oh yeah, you'll have to change it to a new one every other day.

It's become absurd.

So now everyone keeps a list of passwords on a sticky note on their computer monitor, and how is that secure, exactly?

Why don't we have iris scanners yet?

Going from something that can be changed and is different on each website to something that cannot be changed and is used everywhere is not an improvement. Yes it's easier but like anything easier the security level goes down, once they get your iris data you'd be screwed.

What would have been nice is more information on what sites and what information has been compromised.

At least for the heart bleed breech, we knew what was going on. This article suggests the security holes are ongoing.
So what's insecure? I have like 2 billion passwords on 3 billion sites.

Edit: And the best bit that really blows my mind, is most places that are carrying the story follow up with tips for good habits for secure passwords.

Did they not read their own story that says the databases were stolen from the websites?

You could have written dirty limericks in Japanese kanji for your passwords and these hackers would still have it.

The problem is the mainstream media has zero understanding of technology and does not know how to properly report this sort of thing.

Shadow-Phoenix:
Remind me when the world decides it;s had enough of Russia's shit, after the whole Malaysia incident I'm not even sure what they do for the world anymore, the hacking, killing and pirating they do doesn't really make them look like a civilised country at all, also adding the refusal to co-operate with the space station, Russia just seems incredibly backwards while still grasping onto communism like it will somehow pull through, the truth is it won't.

You would sound a lot more convincing if you had some basic grasp of history, friend. hint: Google Collapse of the Soviet Union/Eastern Bloc Communism.

Scorekeeper:
This is usually fairly interesting to discover, despite mandating a new password for security's sake. Is it known if any fraud has been perpetrated using the stolen information? I doubt many websites would store credit card info after the big kerfuffle last year.

youd think. google, stea, origin, you name it. buy from them once they will remmeber your info and you have to manually delete the passwords or they simply have access "for easy buying".

However i use Paypal for shopping online which ads a layer of security since paypal requires confirmation.

MorganL4:

So based on the article it seems like the firm was able to pinpoint the exact people involved. Seeing as they know how many there are, their ages, and what town they live in. Am I the only one that finds it ridiculous that we can't bring them to justice just because the Russian government doesn't care?

The Russian government cares. Its just that their care is different. they are HAPPY these hackers do this, it brings down western competition and weaken western economies.

RonHiler:

So now everyone keeps a list of passwords on a sticky note on their computer monitor, and how is that secure, exactly?

Considering that vast marojity of data stealing happens online and they cant come to your monitor and check the sticky note its far more secure than easy passwords. besides, you should NEVER use sticky notes on monitor for passwords. write them down in secure journal, preferably keep it in safe. or at least where noone will think to search for it. also possible to use a password encrypter with master password. basically you need to enter a password to find out what your other passwords are. that way you have to remember only one password.

as far as other securities - the handprint devices we have for example is very easily fooled. same for voice recognition. actually the keypads that look at "how fast you enter password" (because every human types it uniquely actually and comptuers are able to detect that) are more secure than thumbprint ones.

Shadow-Phoenix:
Russia just seems incredibly backwards while still grasping onto communism like it will somehow pull through, the truth is it won't.

they what now? Russia was never communist.

DoctorM:
What would have been nice is more information on what sites and what information has been compromised.

At least for the heart bleed breech, we knew what was going on. This article suggests the security holes are ongoing.
So what's insecure? I have like 2 billion passwords on 3 billion sites.

Edit: And the best bit that really blows my mind, is most places that are carrying the story follow up with tips for good habits for secure passwords.

Did they not read their own story that says the databases were stolen from the websites?

You could have written dirty limericks in Japanese kanji for your passwords and these hackers would still have it.

The problem is the mainstream media has zero understanding of technology and does not know how to properly report this sort of thing.

Exactly. I was flipping back and forth through the evening news shows, both local and national, and not a single one of them gave anything resembling even a partial list.

All the news shows are telling people to change their passwords to make the stolen data obsolete. Thing is that's not quite how reality works. If they have your old password there is always a good chance they didn't just sit on it and already took whatever info that password was protecting (real name, mailing address, credit card number, etc...). What's worse is that whatever security holes that allowed the hackers in in the first place are still there and the technique that people believe the hackers used changing your password might not even do anything to protect someone from future attacks.

Higgs303:

Shadow-Phoenix:
Remind me when the world decides it;s had enough of Russia's shit, after the whole Malaysia incident I'm not even sure what they do for the world anymore, the hacking, killing and pirating they do doesn't really make them look like a civilised country at all, also adding the refusal to co-operate with the space station, Russia just seems incredibly backwards while still grasping onto communism like it will somehow pull through, the truth is it won't.

You would sound a lot more convincing if you had some basic grasp of history, friend. hint: Google Collapse of the Soviet Union/Eastern Bloc Communism.

Actually there are still people in Russia who want to go back to its old soviet days.

Putin seems to be one of them if political analysts are to be believed.

He was right, they are still clinging to old ideals that never worked. The ideals failed for a reason, and trying to bring it back won't magically fix the failure of the Soviet Union.

You can't resurrect a failed ideology.

Shadow-Phoenix:
Remind me when the world decides it;s had enough of Russia's shit, after the whole Malaysia incident I'm not even sure what they do for the world anymore, the hacking, killing and pirating they do doesn't really make them look like a civilised country at all, also adding the refusal to co-operate with the space station, Russia just seems incredibly backwards while still grasping onto communism like it will somehow pull through, the truth is it won't.

"Websites inside Russia had been hacked, too, and Mr. Holden said he saw no connection between the hackers and the Russian government."

So far nobody has any evidence that the Russian government was involved or that they are in any way impeding the investigation yet, though you wouldn't know that based on how most major news outlets are leaving that part out while putting emphasis on the fact that the hackers are based out of Russia. You could make the argument that the Russian government is responsible in the sense that by having a history of not bothering to go after hackers they created an environment where these scumbags could thrive but beyond that at the moment there's not much blame to be laid on anyone other than the hackers and computer security measures that are easy to crack and slow to be fixed.

Ultratwinkie:

Actually there are still people in Russia who want to go back to its old soviet days.

Putin seems to be one of them if political analysts are to be believed.

He was right, they are still clinging to old ideals that never worked. The ideals failed for a reason, and trying to bring it back won't magically fix the failure of the Soviet Union.

You can't resurrect a failed ideology.

I highly doubt that he's trying to resurrect the Soviet Union. Now if he were trying to resurrect the Russian Empire that would be a different story. Also which political analysts?

 

Reply to Thread

Log in or Register to Comment
Have an account? Login below:
With Facebook:Login With Facebook
or
Username:  
Password:  
  
Not registered? To sign up for an account with The Escapist:
Register With Facebook
Register With Facebook
or
Register for a free account here