Feeds

Hacker crew nicks '1.2 billion passwords' – but WHERE did they all come from?

Russian gang 'audited the internet'

Beginner's guide to SSL certificates

Updated Russian hackers have amassed the largest ever cache of stolen website passwords – 1.2 billion, it's claimed – by swiping, one way or another, sensitive data from poorly secured databases.

A network of computers quietly hijacked by malware, and controlled from afar by the gang, identified more than 420,000 websites vulnerable to SQL injection attacks, we're told. These unnamed sites were flagged up to the malware's masters, who then returned to harvest sensitive data from vulnerable servers.

The hackers – a group called CyberVors based in south central Russia – eventually ended up with 4.5 billion username and password combinations, it's reported. However, many were duplicates, leaving the group with 1.2 billion unique pairs, it's alleged. Of these username records, there were 542 million unique email addresses, apparently.

That works out to about 10,700 swiped username and password pairs per compromised site, or 2,900 unique pairs, on average.

It's claimed CyberVors also bought a load of stolen passwords from other crims, so it's possible not all 1.2bn logins came from the gang's botnet-led raid. That would suggest any number of the credentials could be out of date.

The hacked websites ranged from household names to small businesses located all over the world, security researcher Alex Holden told The New York Times.

Holden did not reveal the names of the raided websites, which apparently include Fortune 500 organizations; despite their budgets, big businesses were found to be vulnerable to SQL injection attacks, one of the most basic and common flaws in website software of the last decade, it seems.

He said many of the affected sites were still vulnerable. "They audited the internet," Holden told the NYT, referring to the crooks. Hold's security research firm, which is based in Milwaukee and found the leaked data, has alerted the operators of the vulnerable sites.

Holden said the records had not been sold off by the criminals, and were instead being used to distribute spam on victims' social networks; this suggests any number of the swiped passwords are either unencrypted or have been cracked.

The gang, according to Hold's research, is made up of fewer than a dozen 20-something men, all of whom know each other and are split into small teams: some focus on harvesting credentials, and others maintain the vulnerabilities-hunting botnet that was built on the back of some unknown malware.

Software developers should consult the OWASP Proactive Controls list to help wipe out top web app vulnerabilities in their products.

And, naturally, Holden's company offers an identity-theft alert subscription service for anyone who fears their passwords have been, or will be, obtained. Although the New York Times says it took steps to verify Hold's claims, until the names of the raided websites emerge, it's too early to panic, if at all. ®

Updated to add

Alex Holden's Hold Security biz is under fire for charging website owners $120 a year to find out if their systems have been compromised. Meanwhile, a free service for netizens, which checks whether they've had their details nicked, asks for email addresses and passwords, which has angered some in the infosec world. The passwords are apparently hashed in the web browser.

Investigative reporter Brian Krebs, who previously worked with Holden to lift the lid on the digital underworld, defended the researcher this week: "It is clear that he has a first-hand view on the day-to-day activities of some very active organized cybercrime networks and actors."

Choosing a cloud hosting partner with confidence

More from The Register

next story
SMASH the Bash bug! Apple and Red Hat scramble for patch batches
'Applying multiple security updates is extremely difficult'
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
Stunned by Shellshock Bash bug? Patch all you can – or be punished
UK data watchdog rolls up its sleeves, polishes truncheon
Ello? ello? ello?: Facebook challenger in DDoS KNOCKOUT
Gets back up again after half an hour though
Desperate VXers enslave FREEZERS in DDoS bot
Updated Spike malware targets Asia
Heatmiser digital thermostat users: For pity's sake, DON'T SWITCH ON the WI-FI
A stranger turns up YOUR heat with default password 1234
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.