Feeds

Hacker crew nicks '1.2 billion passwords' – but WHERE did they all come from?

Russian gang 'audited the internet'

Choosing a cloud hosting partner with confidence

Updated Russian hackers have amassed the largest ever cache of stolen website passwords – 1.2 billion, it's claimed – by swiping, one way or another, sensitive data from poorly secured databases.

A network of computers quietly hijacked by malware, and controlled from afar by the gang, identified more than 420,000 websites vulnerable to SQL injection attacks, we're told. These unnamed sites were flagged up to the malware's masters, who then returned to harvest sensitive data from vulnerable servers.

The hackers – a group called CyberVors based in south central Russia – eventually ended up with 4.5 billion username and password combinations, it's reported. However, many were duplicates, leaving the group with 1.2 billion unique pairs, it's alleged. Of these username records, there were 542 million unique email addresses, apparently.

That works out to about 10,700 swiped username and password pairs per compromised site, or 2,900 unique pairs, on average.

It's claimed CyberVors also bought a load of stolen passwords from other crims, so it's possible not all 1.2bn logins came from the gang's botnet-led raid. That would suggest any number of the credentials could be out of date.

The hacked websites ranged from household names to small businesses located all over the world, security researcher Alex Holden told The New York Times.

Holden did not reveal the names of the raided websites, which apparently include Fortune 500 organizations; despite their budgets, big businesses were found to be vulnerable to SQL injection attacks, one of the most basic and common flaws in website software of the last decade, it seems.

He said many of the affected sites were still vulnerable. "They audited the internet," Holden told the NYT, referring to the crooks. Hold's security research firm, which is based in Milwaukee and found the leaked data, has alerted the operators of the vulnerable sites.

Holden said the records had not been sold off by the criminals, and were instead being used to distribute spam on victims' social networks; this suggests any number of the swiped passwords are either unencrypted or have been cracked.

The gang, according to Hold's research, is made up of fewer than a dozen 20-something men, all of whom know each other and are split into small teams: some focus on harvesting credentials, and others maintain the vulnerabilities-hunting botnet that was built on the back of some unknown malware.

Software developers should consult the OWASP Proactive Controls list to help wipe out top web app vulnerabilities in their products.

And, naturally, Holden's company offers an identity-theft alert subscription service for anyone who fears their passwords have been, or will be, obtained. Although the New York Times says it took steps to verify Hold's claims, until the names of the raided websites emerge, it's too early to panic, if at all. ®

Updated to add

Alex Holden's Hold Security biz is under fire for charging website owners $120 a year to find out if their systems have been compromised. Meanwhile, a free service for netizens, which checks whether they've had their details nicked, asks for email addresses and passwords, which has angered some in the infosec world. The passwords are apparently hashed in the web browser.

Investigative reporter Brian Krebs, who previously worked with Holden to lift the lid on the digital underworld, defended the researcher this week: "It is clear that he has a first-hand view on the day-to-day activities of some very active organized cybercrime networks and actors."

Internet Security Threat Report 2014

More from The Register

next story
FYI: OS X Yosemite's Spotlight tells Apple EVERYTHING you're looking for
It's on by default – didn't you read the small print?
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
Edward who? GCHQ boss dodges Snowden topic during last speech
UK spies would rather 'walk' than do 'mass surveillance'
Microsoft pulls another dodgy patch
Redmond makes a hash of hashing add-on
'LulzSec leader Aush0k' found to be naughty boy not worthy of jail
15 months home detention leaves egg on feds' faces as they grab for more power
China is ALREADY spying on Apple iCloud users, claims watchdog
Attack harvests users' info at iPhone 6 launch
Carders punch holes through Staples
Investigation launched into East Coast stores
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.