Security Experts:

Russian Hackers Obtained 1.2 Billion Passwords: Report

Password Lists

A Russian hacker group has obtained an estimated 1.2 billion unique Internet credentials collected from various websites around world, security and risk management firm Hold Security, LLC reported on Tuesday.

According to the security firm, the user names and passwords were stolen from roughly 420,000 websites of all different sizes. The hackers also gained access to more than 500 million email addresses.

Overall, they say the cyber gang amassed over 4.5 billion records, of which the 1.2 billlion mentioned were unique credentials.

How they did it

According to the company, the hackers originally acquired databases of stolen credentials from other cybercriminals on the black market, which were used to attack e-mail providers, social media, and other websites to distribute spam to victims and install malicious redirections on legitimate systems. 

Later, however, the security firm said the hackers, dubbed the "CyberVor" gang by Hold Security, changed their approach to leverage botnets in order to conduct their attacks.

"These botnets used victims’ systems to identify SQL vulnerabilities on the sites they visited, the blog post explained. "The botnet conducted possibly the largest security audit ever. Over 400,000 sites were identified to be potentially vulnerable to SQL injection flaws alone"

The attackers used the vulnerabilities to steal data from these sites’ databases, eventually ending up with the largest cache of stolen personal information ever found, they said.

Alex Holden, founder and chief information security officer of Hold Security, told SecurityWeek that his firm is not going to be publishing the full report in order to protect the privacy of the victims.

News of the discoverey was first reported by Nicole Perlroth and David Gelles of the New York Times

“Hackers did not just target U.S. companies, they targeted any website they could get, ranging from Fortune 500 companies to very small websites,” Holden told the Times.

Most of the sites that the hackers pillaged are still vulnerable, Holden said. The Times said the group is based in a small city in south central Russia and includes fewer than a dozen men in their 20s “who know one another personally — not just virtually.”

“This issue reminds me of an iceberg, where 90 percent of it is actually underwater,” John Prisco, CEO of Triumfant, told SecurityWeek in an emailed statement. “That’s what is going on here with the news of 1.2 billion credentials exposed. So many cyber breaches today are not actually reported, often times because companies are losing information and they are not even aware of it.”

“Today, we have learned of a huge issue where it seems like billion passwords were stolen overnight, but in reality the iceberg has been mostly submerged for years – crime rings have been stealing information for years, they’ve just been doing it undetected because there hasn’t been a concerted effort on the part of companies entrusted with this information to protect it,” Prisco continued.

An Urgent Call for Two-factor Authentication

Eric Cowperthwaite, vice president, advanced security & strategy at Core Security, explained that this is another example of the pressing need for users and companies to leverage two-factor authentication.

“Companies need to transition to two-factor authentication,” Cowperthwaite said. “Companies such as Facebook and Twitter have finally started offering two-factor authentication, but the bottom line is that most users aren't taking advantage of it.”

“Banks, as a standard practice, should absolutely be using two-factor authentication,” Cowperthwaite added. “They have a certain amount of loss from fraud built into their operating model - they just accept that it will happen. This acceptance is a shame since there are many simple ways to reduce those costs significantly.”

Holden told the Times that his team has started to alert victimized companies of breaches, but had been unable to reach every website. He also said that Hold Security was working to develop an online tool that enables users to test and see if their personal information is in the database.

“Russian cyber gangs are known for breaking in to steal whatever they can as quickly as possible,” said Joshua Roback, Security Architect, SilverSky. “We should expect to see these accounts for sale on underground forums before the week is through."

"Understanding why passwords are so valuable to hackers can both explain and prepare enterprises to deal with potential security vulnerabilities," SecurityWeek columnist Gil Zimmermann noted in a December 2013 column. "There are potentially hundreds of uses for stolen passwords once they are obtained."

While not close to the scope of this recently disclosed discover, Germany's Federal Office for Online Security (BSI) warned Internet users in January that cybercriminals had obtained a list of 16 million email addresses and passwords.

Related: Hackers Just Made Off with Two Million Passwords, Now What?

*Updated

view counter
For more than 10 years, Mike Lennon has been closely monitoring the treat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences.