Last week, The New York times released a story about Russian hackers sitting on a dump of over 1.2 billion stolen credentials (usernames and passwords)… Yes, that’s billion with a b.
The New York Times based their story on information from Hold Security, a research firm that helped track the Adobe and Target breaches. According to a blog post, Hold Security’s researchers identified a Russian cyber gang (who they call CyberVor) sitting on a dump of 4.5 billion credentials; 1.2B actually being unique. They say the group also has over 500 million unique email addresses. This huge repository of data wasn’t the result of a single attack, rather a long term botnet campaign that allegedly leveraged SQL injection (SQLi) attacks to steal this information from over 420,000 vulnerable web sites.
Other than that, not much is publicly known about this campaign of credential thefts. In fact, some find this news somewhat suspicious, since Hold Security hasn’t shared all the relevant details yet. For instance, they haven’t said whether or not the stolen credentials are hashed, which would at least impose a small roadblock on those trying to leverage them. They also haven’t shared any physical data about this leak, at least publicly. Furthermore, they seem to be charging for a subscription service to tell you whether or not you are affected. That said, Hold Security is a well-known and respected group that even has the backing of Brian Krebs. Lying about a breach of this magnitude would be business suicide.
So the obvious question is, what should you do? It’s pretty simple actually, if not a bit irritating. Change all your passwords! I know it’s a pain in the butt, but if this is true, bad guys probably have access to at least one of your passwords. You should use this as an excuse to change your password on every important site. I highly recommend using a different password on every site, and using a password vault to help you create and remember all these strong passwords.
One last aside. A few folks have asked me if they should get new credit cards. So far, there have been no reports that these Russian hackers are sitting on any credit card details. So currently, there is no need for any panic there. If news of credit card leaks comes out, your credit card company will likely inform you if you’re affected. — Corey Nachreiner, CISSP (@SecAdept)