Feeds

Hacker crew nicks '1.2 billion passwords' – but WHERE did they all come from?

Russian gang 'audited the internet'

Internet Security Threat Report 2014

Updated Russian hackers have amassed the largest ever cache of stolen website passwords – 1.2 billion, it's claimed – by swiping, one way or another, sensitive data from poorly secured databases.

A network of computers quietly hijacked by malware, and controlled from afar by the gang, identified more than 420,000 websites vulnerable to SQL injection attacks, we're told. These unnamed sites were flagged up to the malware's masters, who then returned to harvest sensitive data from vulnerable servers.

The hackers – a group called CyberVors based in south central Russia – eventually ended up with 4.5 billion username and password combinations, it's reported. However, many were duplicates, leaving the group with 1.2 billion unique pairs, it's alleged. Of these username records, there were 542 million unique email addresses, apparently.

That works out to about 10,700 swiped username and password pairs per compromised site, or 2,900 unique pairs, on average.

It's claimed CyberVors also bought a load of stolen passwords from other crims, so it's possible not all 1.2bn logins came from the gang's botnet-led raid. That would suggest any number of the credentials could be out of date.

The hacked websites ranged from household names to small businesses located all over the world, security researcher Alex Holden told The New York Times.

Holden did not reveal the names of the raided websites, which apparently include Fortune 500 organizations; despite their budgets, big businesses were found to be vulnerable to SQL injection attacks, one of the most basic and common flaws in website software of the last decade, it seems.

He said many of the affected sites were still vulnerable. "They audited the internet," Holden told the NYT, referring to the crooks. Hold's security research firm, which is based in Milwaukee and found the leaked data, has alerted the operators of the vulnerable sites.

Holden said the records had not been sold off by the criminals, and were instead being used to distribute spam on victims' social networks; this suggests any number of the swiped passwords are either unencrypted or have been cracked.

The gang, according to Hold's research, is made up of fewer than a dozen 20-something men, all of whom know each other and are split into small teams: some focus on harvesting credentials, and others maintain the vulnerabilities-hunting botnet that was built on the back of some unknown malware.

Software developers should consult the OWASP Proactive Controls list to help wipe out top web app vulnerabilities in their products.

And, naturally, Holden's company offers an identity-theft alert subscription service for anyone who fears their passwords have been, or will be, obtained. Although the New York Times says it took steps to verify Hold's claims, until the names of the raided websites emerge, it's too early to panic, if at all. ®

Updated to add

Alex Holden's Hold Security biz is under fire for charging website owners $120 a year to find out if their systems have been compromised. Meanwhile, a free service for netizens, which checks whether they've had their details nicked, asks for email addresses and passwords, which has angered some in the infosec world. The passwords are apparently hashed in the web browser.

Investigative reporter Brian Krebs, who previously worked with Holden to lift the lid on the digital underworld, defended the researcher this week: "It is clear that he has a first-hand view on the day-to-day activities of some very active organized cybercrime networks and actors."

Internet Security Threat Report 2014

More from The Register

next story
George Clooney, WikiLeaks' lawyer wife hand out burner phones to wedding guests
Day 4: 'News'-papers STILL rammed with Clooney nuptials
Shellshock: 'Larger scale attack' on its way, warn securo-bods
Not just web servers under threat - though TENS of THOUSANDS have been hit
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
PEAK IPV4? Global IPv6 traffic is growing, DDoS dying, says Akamai
First time the cache network has seen drop in use of 32-bit-wide IP addresses
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
Stunned by Shellshock Bash bug? Patch all you can – or be punished
UK data watchdog rolls up its sleeves, polishes truncheon
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.