A Russian cybercrime gang has managed to stockpile a treasure trove of over 1 billion online log-in credentials, the largest ever discovered, raising serious questions over the basic security levels of many websites.
Milwaukee-based Hold Security told the New York Times the gang in question amassed 1.2 billion user name and password combinations and more than 500 million email addresses.
The credentials apparently come from a broad selection of websites, ranging from Fortune 500 companies to small players all over the world.
The gang has been monetizing the credentials by using them to send out spam on social networks, although it is likely that at least some will be sold on underground forums eventually.
The cybercrime ring itself hails from a small city in south central Russia and consists of less than a dozen men in their early 20s, who have been escalating their attack activity over the past three years, Hold Security founder Alex Holden told the paper.
“There is a division of labor within the gang,” he added. “Some are writing the programming, some are stealing the data. It’s like you would imagine a small company; everyone is trying to make a living.”
More worrying still, the breached websites are said to have been compromised because they were all vulnerable to a simple SQL Injection attack.
Such vulnerabilities are easy to patch but often lie forgotten until a hacker exploits them.
Holden said the hackers effectively “audited the internet” for vulnerable sites by using automated botnets, and then returned to steal user data from the ones left exposed.
“The attackers crowd sourced the hacking, leveraging botnet infected computers to do the heavy lifting for them and identify sites vulnerable to SQL injection attacks,” said Michael Sutton, vice president of security research at Zscaler.
“This is yet another warning of the dangers of using the same credentials on multiple sites. Consumers should assume that sites they trust will be breached at some point. If they use different credentials on all sites, at least they can limit the damage.”
Mark Bower, vice president of product management at Voltage Security, added that the news is “all too familiar”.
“Yet more evidence the bad guys are winning big at consumers’ expense who will foot the bill for this in the end like a hidden tax,” he argued.
“Clearly it’s time to change the game in data-security and neutralize data-breach risks instead of paying the heavy price when sensitive data falls into the wrong hands all too easily.”
KPMG cyber security director, Tom Burton, argued that the incident shows passwords are losing their effectiveness.
“Individuals cannot possibly remember a different password for each website they use, let alone passwords with strength,” he added.
“In the short term individuals must take a more risk based approach, maintaining strong and unique credentials for those sites that would create the greatest impact if breached – such as bank or email accounts - while being pragmatic and using common passwords for sites that would be little more than an irritation if breached.”
For website owners, meanwhile, the emphasis should be on proactive, preventative measures.
“The fear is that if this doesn’t prompt businesses and individuals to rethink how they are protecting themselves, the criminal fraternity will have a bright future ahead of them,” said Burton.