Russian group hacks 1.2 bn usernames, passwords

07 Aug 2014

A Russian group has hacked 1.2 billion usernames and passwords belonging to 500 million plus email addresses, Hold Security, a US firm specialising in discovering breaches, reported.

Russian group hacks 1.2 bn usernames, passwordsThe company described the hack as the "largest data breach known to date".

After more than seven months of research, Hold Security identified a Russian cyber gang which it said is currently in possession of the largest cache of stolen data. While the gang did not have a name, we dubbed it ''CyberVor'' (''vor'' meaning ''thief'' in Russian).

The CyberVor gang amassed over 4.5 billion records, mostly consisting of stolen credentials. 1.2 billion of these credentials appear to be unique, belonging to over half a billion e-mail addresses. To get such an impressive number of credentials, the CyberVors robbed over 420,000 web and FTP sites.

How did this occur? Initially, the gang acquired databases of stolen credentials from fellow hackers on the black market. These databases were used to attack e-mail providers, social media, and other websites to distribute spam to victims and install malicious redirections on legitimate systems.

According to Hack Securities, earlier this year, the hackers altered their approach. Through the underground black market, the CyberVors got access to data from botnet networks (a large group of virus-infected computers controlled by one criminal system).

These botnets used victims' systems to identify SQL vulnerabilities on the sites they visited. The botnet conducted possibly the largest security audit ever. Over 400,000 sites were identified to be potentially vulnerable to SQL injection flaws alone.

The CyberVors used these vulnerabilities to steal data from these sites' databases. To the best of our knowledge, they mostly focused on stealing credentials, eventually ending up with the largest cache of stolen personal information, totaling over 1.2 billion unique sets of e-mails and passwords.

Hold Security gave no details of the companies affected by the hack.

"They didn't just target large companies; instead, they targeted every site that their victims visited," Hold Security said in its report.

With hundreds of thousands of sites affected, the list includes many leaders in virtually all industries across the world, as well as several small or even personal websites.

These databases were used to attack e-mail providers, social media, and other websites to distribute spam to victims and install malicious redirections on legitimate systems

According to The New York Times, which first reported the findings, "a security expert not affiliated with Hold Security analysed the database of stolen credentials and confirmed it was authentic".

"Another computer crime expert who had reviewed the data, but was not allowed to discuss it publicly, said some big companies were aware that their records were among the stolen information," the paper said.

Hold Security declined to name the sites that were breached, citing non-disclosure agreements and concerns that they remained vulnerable to attack.

According to Alex Holden, the founder of Hold Security, hackers did not just target US companies, they targeted any website they could get, ranging from Fortune 500 companies to very small websites. He told The New York Times that most of these sites were still vulnerable.

According to Dmitri Alperovitch, chief technology officer of the cybersecurity firm CrowdStrike who spoke to Reuters, the stolen passwords could be used to access other accounts beyond the ones on sites that were breached as people commonly used the same passwords for multiple sites.

He added a compromise like this could mushroom.

In February, the security company said it had uncovered stolen credentials from some 360 million cyber black markets.