Russian Hackers Steal More Than 1 Billion Passwords in Record-Breaking Data Breach

Hold Security, a firm credited with uncovering significant data breaches – such as the one at Adobe Systems in October 2013 – has uncovered a record-breaking hack of 1.2 billion username and passwords from multiple websites.

From the Hold Security website:

After more than seven months of research, Hold Security identified a Russian cyber gang which is currently in possession of the largest cache of stolen data. While the gang did not have a name, we dubbed it “CyberVor” (“vor” meaning “thief” in Russian).
The CyberVor gang amassed over 4.5 billion records, mostly consisting of stolen credentials. 1.2 billion of these credentials appear to be unique, belonging to over half a billion e-mail addresses. To get such an impressive number of credentials, the CyberVors robbed over 420,000 web and FTP sites.

Hold Security is not naming the victims – made up of large and small sites from industries across the world – because of non-disclosure agreements and a reluctance to publicize companies that may remain vulnerable.

The New York Times has reported that it asked another security expert to analyze the database of stolen credentials and it has been confirmed as authentic. Another computer crime expert told The New York Times that some “big companies” are aware that their records are among the stolen information.

Hold Security explains how the theft played out:

Initially, the gang acquired databases of stolen credentials from fellow hackers on the black market. These databases were used to attack e-mail providers, social media, and other websites to distribute spam to victims and install malicious redirections on legitimate systems. Earlier this year, the hackers altered their approach. Through the underground black market, the CyberVors got access to data from botnet networks (a large group of virus-infected computers controlled by one criminal system). These botnets used victims’ systems to identify SQL vulnerabilities on the sites they visited. The botnet conducted possibly the largest security audit ever. Over 400,000 sites were identified to be potentially vulnerable to SQL injection flaws alone. The CyberVors used these vulnerabilities to steal data from these sites’ databases. To the best of our knowledge, they mostly focused on stealing credentials, eventually ending up with the largest cache of stolen personal information, totaling over 1.2 billion unique sets of e-mails and passwords.

The San Jose Mercury News notes the scale of this attack – combined with multiple recent reports of cyber assaults – “raises significant questions about the security practices of thousands of companies around the globe and puts at risk the financial and personal information of a significant fraction of the planet’s population.”

Mark Bower from Voltage Security told the newspaper: “This sounds all too familiar – weakly secured sites, preventable vulnerabilities that aren’t patched. Yet more evidence the bad guys are winning big at consumers’ expense.”

Whether brought to the point of security awareness kicking and screaming, companies will come to face the dilemma of wanting as much information about consumers as they can store without losing the trust of the very audience they aim to serve by inadvertently losing it to cybercriminals. Defense in depth protections may require more consumer inconvenience with mandating things like two-factor login authentication, but more importantly will have to layer up their infrastructure on the back end and make sure they have the monitoring tools in place to detect nefarious activity quickly.

This is an arms race with sophisticated cybercriminals who realize that stealthy camouflage on a server with a trickle of captured information can mean a long-lasting goldmine of sensitive information. When you pull a whole server down, the changes of discovery and eradication are much higher. All part of the reason it can take so long to detect an issue.