Aug 06The Password Apocalypse has Happened and ThreatMetrix Predicted It
Russian Crime Ring Rips Off 1.2 Billion Username/Password Combos and More than Half-a-Billion Email Addresses
The crime is mind boggling. It’s as if one in every seven people on the planet had been burglarized. The gang who breached 420,000 websites from obscure to household names, was discovered by Hold Security.
Alex Holden, Hold Security’s founder and chief information security officer, said, “Hackers did not just target U.S. companies, they targeted any website they could get, ranging from Fortune 500 companies to very small websites. And most of these sites are still vulnerable.”
ThreatMetrix predicted this would happen as early as 2013 when Alisdair Faulkner, ThreatMetrix chief products officer, ThreatMetrix, wrote: “2013: The Year of the Password Apocalypse.”
Early this year Andreas Baumhof, ThreatMetrix chief technology officer, wrote on the same subject, “3 Steps Businesses Can Take to Guard Against ‘Password Apocalypse’ in Wake of Data Breaches.”
And finally, ThreatMetrix provided you with an infographic titled “Data Breach! What Happens Next.”
In their nytimes.com story, Nicole Perlroth and David Gelle explore the background and ramifications of this unprecedented and wide-ranging security breach. The following has been excerpted from their piece and edited to fit our format. You may find their full article by clicking on this link.
[The] size of the latest discovery has prompted security experts to call for improved identity protection on the web.
“Companies that rely on usernames and passwords have to develop a sense of urgency about changing this,” said Avivah Litan, a security analyst at Gartner, the research firm. “Until they do, criminals will just keep stockpiling people’s credentials.”
Websites inside Russia had been hacked, too, and Mr. Holden said he saw no connection between the hackers and the Russian government. He said he planned to alert law enforcement after making the research public, though the Russian government has not historically pursued accused hackers.
So far, the criminals have not sold many of the records online. Instead, they appear to be using the stolen information to send spam on social networks like Twitter at the behest of other groups, collecting fees for their work.
But selling more of the records on the black market would be lucrative.
The hacking ring is based in a small city in south central Russia, the region flanked by Kazakhstan and Mongolia. The group includes fewer than a dozen men in their 20s who know one another personally — not just virtually. Their computer servers are believed to be in Russia.
“There is a division of labor within the gang,” Mr. Holden said. “Some are writing the programming, some are stealing the data. It’s like you would imagine a small company; everyone is trying to make a living.”
They began as amateur spammers in 2011, buying stolen databases of personal information on the black market. But in April, the group accelerated its activity. Mr. Holden surmised they partnered with another entity, whom he has not identified, that may have shared hacking techniques and tools.
Since then, the Russian hackers have been able to capture credentials on a mass scale using botnets…. Any time an infected user visits a website, criminals command the botnet to test that website to see if it is vulnerable to… a SQL injection [where] a hacker enters commands that cause a database to produce its contents. If the website proves vulnerable, criminals flag the site and return later to extract the full contents of the database.
“They audited the Internet,” Mr. Holden said. It was not clear, however, how computers were infected with the botnet in the first place.
By July, criminals were able to collect 4.5 billion records — each a username and password — though many overlapped. After sorting through the data, Hold Security found that 1.2 billion of those records were unique. Because people tend to use multiple emails, they filtered further and found that the criminals’ database included about 542 million unique email addresses.
The average total cost of a data breach jumped 15 percent this year from last year, to $3.5 million per breach, from $3.1 million, according to a joint study last May, published by the Ponemon Institute, an independent research group, and IBM.