A report from Hold Security claims that one of the biggest ever online heists has been committed by a Russian crime gang. It would appear that the data theft includes, wait for it, no less than 1.2 billion (yes billion) username and passwords along with around half a billion email addresses obtained from more than 400,000 websites. In total, Hold Security says, the stolen data amounts to some 4.5 billion items.
According to the report the gang acquired databases of stolen credentials from online dark markets which were then used to attack e-mail providers, social media, and other websites. Spam was then distributed which contained malware as a result. "Earlier this year, the hackers altered their approach" Hold Security says, with the gang gaining access to data from botnets which identified SQL vulnerabilities on the sites they visited. "The botnet conducted possibly the largest security audit ever" according to the company with "over 400,000 sites identified to be potentially vulnerable to SQL injection flaws alone." It was these vulnerabilities that were used to steal the data.
Mark James, a security specialist at ESET, says that because the data appears to have been harvested from a number of different location, ranging from the dark market through to the smallest of websites with lapse security, it suggests a lot of effort went into the heist. "Organising all this data into a central repository and then using it to gain access to more systems would point to a very organised gang of thieves" he says, adding "this discovery highlights the need for companies to inform their users as soon as possible if they think their servers have been compromised as our only defence is using different information online."
James Mullock, a lawyer and partner at International law firm Osborne Clarke, reckons that "business with a digital presence will be waiting with baited breath to learn whether their users are affected by this reported attack." Mullock goes on to add that "an interesting feature of the attack having been uncovered by an independent security firm is the unstructured process by which news of which businesses have been hacked reaches those organisations." He points out that there is currently little legislative guidance regulating how that process should operate and it appears ripe for review.
Mark Bower, VP at Voltage Security, isn't shocked by the news. "This sounds all too familiar: weakly secured sites, preventable vulnerabilities that aren’t patched, and automated botnets to exploit them yielding massive troves of identity data suitable for a ruthless secondary online system attacks at tremendous scale" he states. Of course, while that is true it doesn't dilute the fact that there are wider implications of this kind of attack-methodology as a NetIQ spokesperson pointed out: "This again signals we are reaching the end of the usable lifespan of the username/password combination to security. The approach of making users create their own passwords simply forces this last, critical step in security into the hands of the people least qualified and least interested in making it secure: the end user. Small groups of hackers are able to perpetrate this kind of immense data theft because there is already extensive information available to assist them in navigating to vulnerable systems around the globe - hackers have mapped the internet to a high degree of accuracy and that information is readily available. Organisations don't always protect passwords as well as they should - either using weak hashing algorithms, unsalted hashes, or in some cases, not even protecting the passwords at all."
