Feeds

Hacker crew nicks '1.2 billion passwords' – but WHERE did they all come from?

Russian gang 'audited the internet'

Protecting users from Firesheep and other Sidejacking attacks with SSL

Updated Russian hackers have amassed the largest ever cache of stolen website passwords – 1.2 billion, it's claimed – by swiping, one way or another, sensitive data from poorly secured databases.

A network of computers quietly hijacked by malware, and controlled from afar by the gang, identified more than 420,000 websites vulnerable to SQL injection attacks, we're told. These unnamed sites were flagged up to the malware's masters, who then returned to harvest sensitive data from vulnerable servers.

The hackers – a group called CyberVors based in south central Russia – eventually ended up with 4.5 billion username and password combinations, it's reported. However, many were duplicates, leaving the group with 1.2 billion unique pairs, it's alleged. Of these username records, there were 542 million unique email addresses, apparently.

That works out to about 10,700 swiped username and password pairs per compromised site, or 2,900 unique pairs, on average.

It's claimed CyberVors also bought a load of stolen passwords from other crims, so it's possible not all 1.2bn logins came from the gang's botnet-led raid. That would suggest any number of the credentials could be out of date.

The hacked websites ranged from household names to small businesses located all over the world, security researcher Alex Holden told The New York Times.

Holden did not reveal the names of the raided websites, which apparently include Fortune 500 organizations; despite their budgets, big businesses were found to be vulnerable to SQL injection attacks, one of the most basic and common flaws in website software of the last decade, it seems.

He said many of the affected sites were still vulnerable. "They audited the internet," Holden told the NYT, referring to the crooks. Hold's security research firm, which is based in Milwaukee and found the leaked data, has alerted the operators of the vulnerable sites.

Holden said the records had not been sold off by the criminals, and were instead being used to distribute spam on victims' social networks; this suggests any number of the swiped passwords are either unencrypted or have been cracked.

The gang, according to Hold's research, is made up of fewer than a dozen 20-something men, all of whom know each other and are split into small teams: some focus on harvesting credentials, and others maintain the vulnerabilities-hunting botnet that was built on the back of some unknown malware.

Software developers should consult the OWASP Proactive Controls list to help wipe out top web app vulnerabilities in their products.

And, naturally, Holden's company offers an identity-theft alert subscription service for anyone who fears their passwords have been, or will be, obtained. Although the New York Times says it took steps to verify Hold's claims, until the names of the raided websites emerge, it's too early to panic, if at all. ®

Updated to add

Alex Holden's Hold Security biz is under fire for charging website owners $120 a year to find out if their systems have been compromised. Meanwhile, a free service for netizens, which checks whether they've had their details nicked, asks for email addresses and passwords, which has angered some in the infosec world. The passwords are apparently hashed in the web browser.

Investigative reporter Brian Krebs, who previously worked with Holden to lift the lid on the digital underworld, defended the researcher this week: "It is clear that he has a first-hand view on the day-to-day activities of some very active organized cybercrime networks and actors."

The next step in data security

More from The Register

next story
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
Infosec geniuses hack a Canon PRINTER and install DOOM
Internet of Stuff securo-cockups strike yet again
THREE QUARTERS of Android mobes open to web page spy bug
Metasploit module gobbles KitKat SOP slop
'Speargun' program is fantasy, says cable operator
We just might notice if you cut our cables
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
Greater dev access to iOS 8 will put us AT RISK from HACKERS
Knocking holes in Apple's walled garden could backfire, says securo-chap
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.