Wow, this is a big one.
A first reported by The New York Times, Hold Security discovered that a Russian crime ring has stolen 1.2 billion user name and passwords combinations and over 500 million email addresses from 420,000 websites "including household names and small Internet sites". The Times reports:
Hold Security would not name the victims, citing nondisclosure agreements and a reluctance to name companies whose sites remained vulnerable. At the request of The New York Times, a security expert not affiliated with Hold Security analyzed the database of stolen credentials and confirmed it was authentic. Another computer crime expert who had reviewed the data, but was not allowed to discuss it publicly, said some big companies were aware that their records were among the stolen information.
Compromised sites include some here in the U.S. as well as some based in Russia itself. According to Hold Security, most of the sites involved are still vulnerable.
A message on Hold Security's site says:
You have been hacked! Over the past 18 months, this was our conversation starter with many companies and individuals. Helping our clients prevent breaches or find their stolen data is our business. If you have been following information security, or even if you haven’t, you have probably heard of Hold Security and our work. In October 2013, we identified a data breach with Adobe Systems. Later in December that year, we independently identified and tracked the Target breach and in February 2014 we identified over 360 million stolen credentials trafficked on the black market. Overall, Hold Security played a role in identifying and helping victims with most of the largest breaches.
In the latest development, Hold Security’s Deep Web Monitoring practice in conjunction with our Credential Integrity Services discovered what could be arguably the largest data breach known to date.
Whether you are a computer expert or a technophobe, as long as your data is somewhere on the World Wide Web, you may be affected by this breach. Your data has not necessarily been stolen from you directly. It could have been stolen from the service or goods providers to whom you entrust your personal information, from your employers, even from your friends and family.
They're calling the Russian gang, which they say still has possession of the stolen data, "CyberVor". The 1.2 billion credentials are just the unique ones taken from a whopping 4.5 billion records altogether. The 420,000 compromised sites includes FTP sites.
According to Hold Security, the gang acquired databases of stolen credentials from other hackers on the black market. These, it says, were used to attack email providers, social media, and other sites to distribute spam to victims and install malicious redirections on legitimate systems. Later, they got access to data from botnet networks and SQL injection.
"The CyberVors did not differentiate between small or large sites," the firm says. "They didn’t just target large companies; instead, they targeted every site that their victims visited. With hundreds of thousands sites affected, the list includes many leaders in virtually all industries across the world, as well as a multitude of small or even personal websites."
They encourage companies to check if their sites (including auxiliary sites) are susceptible to SQL injection. They then use the opportunity to plug their new "Breach Notification Service," which charges you $10 a month or $20 a year to monitor your site for vulnerability.
In fact, some see this as a bit shady.
Kashmir Hill at Forbes writes, "It’s certainly in the interest of any security firm to portray the state of cybersecurity as dire to make their wares more appealing, and that’s something any reader should keep in mind when reading quotes from a security professional. But this is a pretty direct link between a panic and a pay-out for a security firm. Yes, I expect security firms to make money for making the Internet more secure, but I am skeptical of a firm with a financial incentive in creating a panic to be the main source for a story that causes a panic. If nothing else, it should be disclosed in the New York Times story that the firm that reported a major breach hoped to directly profit from it. We don’t just need hashed passwords salted, we need grains of salt in our reporting around security."
Those who watched the recent John Oliver bit on native advertising (which specifically talks about The New York Times) might be going back to look at the NYT piece for indication of a sponsored post. There doesn't appear to be one.
Meanwhile, Hold Security is also offering a service to individuals.
Image via Facebook