Feeds

Hacker crew nicks '1.2 billion passwords' – but WHERE did they all come from?

Russian gang 'audited the internet'

Intelligent flash storage arrays

Updated Russian hackers have amassed the largest ever cache of stolen website passwords – 1.2 billion, it's claimed – by swiping, one way or another, sensitive data from poorly secured databases.

A network of computers quietly hijacked by malware, and controlled from afar by the gang, identified more than 420,000 websites vulnerable to SQL injection attacks, we're told. These unnamed sites were flagged up to the malware's masters, who then returned to harvest sensitive data from vulnerable servers.

The hackers – a group called CyberVors based in south central Russia – eventually ended up with 4.5 billion username and password combinations, it's reported. However, many were duplicates, leaving the group with 1.2 billion unique pairs, it's alleged. Of these username records, there were 542 million unique email addresses, apparently.

That works out to about 10,700 swiped username and password pairs per compromised site, or 2,900 unique pairs, on average.

It's claimed CyberVors also bought a load of stolen passwords from other crims, so it's possible not all 1.2bn logins came from the gang's botnet-led raid. That would suggest any number of the credentials could be out of date.

The hacked websites ranged from household names to small businesses located all over the world, security researcher Alex Holden told The New York Times.

Holden did not reveal the names of the raided websites, which apparently include Fortune 500 organizations; despite their budgets, big businesses were found to be vulnerable to SQL injection attacks, one of the most basic and common flaws in website software of the last decade, it seems.

He said many of the affected sites were still vulnerable. "They audited the internet," Holden told the NYT, referring to the crooks. Hold's security research firm, which is based in Milwaukee and found the leaked data, has alerted the operators of the vulnerable sites.

Holden said the records had not been sold off by the criminals, and were instead being used to distribute spam on victims' social networks; this suggests any number of the swiped passwords are either unencrypted or have been cracked.

The gang, according to Hold's research, is made up of fewer than a dozen 20-something men, all of whom know each other and are split into small teams: some focus on harvesting credentials, and others maintain the vulnerabilities-hunting botnet that was built on the back of some unknown malware.

Software developers should consult the OWASP Proactive Controls list to help wipe out top web app vulnerabilities in their products.

And, naturally, Holden's company offers an identity-theft alert subscription service for anyone who fears their passwords have been, or will be, obtained. Although the New York Times says it took steps to verify Hold's claims, until the names of the raided websites emerge, it's too early to panic, if at all. ®

Updated to add

Alex Holden's Hold Security biz is under fire for charging website owners $120 a year to find out if their systems have been compromised. Meanwhile, a free service for netizens, which checks whether they've had their details nicked, asks for email addresses and passwords, which has angered some in the infosec world. The passwords are apparently hashed in the web browser.

Investigative reporter Brian Krebs, who previously worked with Holden to lift the lid on the digital underworld, defended the researcher this week: "It is clear that he has a first-hand view on the day-to-day activities of some very active organized cybercrime networks and actors."

Security for virtualized datacentres

More from The Register

next story
Knock Knock tool makes a joke of Mac AV
Yes, we know Macs 'don't get viruses', but when they do this code'll spot 'em
Shellshock over SMTP attacks mean you can now ignore your email
'But boss, the Internet Storm Centre says it's dangerous for me to reply to you'
Why weasel words might not work for Whisper
CEO suspends editor but privacy questions remain
Feds seek potential 'second Snowden' gov doc leaker – report
Hang on, Ed wasn't here when we compiled THIS document
DEATH by PowerPoint: Microsoft warns of 0-day attack hidden in slides
Might put out patch in update, might chuck it out sooner
China is ALREADY spying on Apple iCloud users, claims watchdog
Attack harvests users' info at iPhone 6 launch
prev story

Whitepapers

Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.