Russian Hackers Collect Over One Billion Passwords

Russia cybercrimeThe New York Times reports that Russian criminal hackers have collected the largest-known horde of stolen Internet credentials ever, including 1.2 billion username/password combinations and half a billion email addresses.

The theft dwarfs the recent theft from Target, which involved 70 million personal records and 40 million credit and debit card numbers.

Hold Security, based in Milwaukee, says that it discovered the trove of stolen information. Independent experts verified the authenticity of the find.

The group behind the theft appears to be based in south-central Russia and have about a dozen 20-something members. Hold named them “CyberVor,” “vor” being the Russian word for thief.

Hold previously uncovered the theft of 153 million records from Adobe. It is offering a service to let people check whether their credentials are on the Russian’s list.

However, the Wall Street Journal reported that other experts are questioning whether the security threat is as bad as it sounds.

Stewart Baker, a law firm partner and the former general counsel of the National Security Agency, said, “1.2 billion is a very big number. If they got there by assembling two years’ worth of hacks, it is less impressive.”

Dr. Brad Karp, an expert at University College London who researches internet and systems security, said in The Guardian that whether the breach turns out to be as significant as Hold claims or not,

The important takeaway is that … the state of web security and software is sufficiently bad that a find like this is entirely conceivable.

An expert quoted by the Wall Street Journal said that it was “strange” that Hold would charge people to find out if their data had been stolen. “Typically when these leaks occur you do notifications of the victim parties and don’t charge for it,” said Dmitri Alperovitch, chief technology officer at cybersecurity firm CrowdStrike Inc.

Hold says it’s already notified the companies affected by the breach.

Companies targeted by the thieves included everything from Fortune 500 firms to mom-and-pop stores. In all, 420,000 sites had information stolen.

It doesn’t appear that the hackers have sold the information… yet. They appear to be using it to send spam on social networks like Twitter on half of other groups, collecting fees for their services.

The Times noted that:

While a credit card can be easily canceled, personal credentials like an email address, Social Security number or password can be used for identity theft. Because people tend to use the same passwords for different sites, criminals test stolen credentials on websites where valuable information can be gleaned, like those of banks and brokerage firms.

We added the emphasis to stress that human beings are the weakest link in the username/password system of network “security.” You simply can’t get people to change their behavior, no matter how much risk they’re exposing themselves to, so the only solution is to change the system.

As long as passwords are static, thieves will find a way to steal them. One solution is dynamic encryption – changing passwords before thieves can use them.

The Times offered some suggestions for how to keep data out of hackers’ hands. Things like changing passwords and using stronger passwords are better than following “worst practices” – e.g., using the same simple password for everything, as far too many people do — but a “better” password is no guarantee that your data will be safe.

As the Times puts it:

How can I stop my information from being stolen in the first place?

Increasingly, you cannot. Regularly monitoring your financial records can help minimize the damage if someone gets your information. But only the companies storing your personal data are responsible for securing it. Consumers can slow down hackers and identity thieves, but corporate computer security and law enforcement are the biggest deterrents.

Saying that law enforcement is a “deterrent” is a bit of a joke. Who exactly are those Russian hackers being “deterred” by?

We agree that better corporate security is the answer. And this means a new data protection system introduced as an industry standard.

The Guardian story on the breach noted:

Whether verified or not, the security leak is yet another nail in the coffin for usernames and passwords as the security device of choice. Users are still advised to maintain strong passwords that are not easy to guess and that do not include real English words, but other solutions must be found.

According to one security expert quoted by the Times,

Companies that rely on user names and passwords have to develop a sense of urgency about changing this. Until they do, criminals will just keep stockpiling people’s credentials.

We couldn’t agree more with both statements.

Just as our patents became a crucial part of the data encryption specification for WiFi, we believe that PACid’s Bolt-on Strong Security (BoSS) can form the basis for a new security standard that makes data breaches – and stolen data troves – a thing of the past.