Security

Russian gangs take 1.2B passwords, 500M email addresses in biggest Web heist ever

Image Credit: illustration via Tom Cheredar

Security researchers are calling it the biggest theft of user data ever.

A Russian criminal group successfully lifted 1.2 billion passwords and 500 million email addresses from 420,000 websites, Hold Security, an Internet security company said today.

Hold Security, based in Milwaukee, has declined to release the names of those whose information was stolen nor the websites where the data was pilfered. The company said it was cooperating with U.S. law enforcement and said that so far the Russian gang did not appear affiliated with the Russian government.

The timing is interesting, as relations between the West, led by the U.S., and Russia, led by strongman Vladimir Putin, have reached their lowest level since the end of the Cold War in 1989. Pro-Russian separatists backed by Moscow have been linked to the downing of a Malaysian Airlines flight in July that killed 300 people that was blamed on pro-Russian separatists fighting in Ukraine.

According to the scorching Hold Security after action report, this is how it went down:

“Initially, the gang acquired databases of stolen credentials from fellow hackers on the black market. These databases were used to attack e-mail providers, social media, and other websites to distribute spam to victims and install malicious redirections on legitimate systems. Earlier this year, the hackers altered their approach. Through the underground black market, the CyberVors got access to data from botnet networks (a large group of virus-infected computers controlled by one criminal system). These botnets used victims’ systems to identify SQL vulnerabilities on the sites they visited. The botnet conducted possibly the largest security audit ever. Over 400,000 sites were identified to be potentially vulnerable to SQL injection flaws alone.”

The astonishing feat makes the Target data breach in December, where 40 million credit cards and 70 million email addresses were stolen from the retailers servers, pale by comparison. In that attack, Eastern Europe hackers were fingered as the main culprits, but no arrests have ever been made.

Hold Security operatives have been busy. They were the ones who officially confirmed the breach before the feds did, and also were responsible for uncovering a little known hack at Adobe Systems in San Jose where millions of digital files were stolen.

Investigators at Hold Security said they publicly unveiled the Russian hack, which they call the biggest to date, after a grueling seven month investigation. In fact, the security company aptly named the group CyberVor, which means “thief” in Russian.

Small and big enterprise websites were hit in the massive fraud, but again, although identified by Hold Security operatives internally, the names have not been released. Yet.

The data thieves invariably were aided by people using the same password for multiple websites. Hold Security is asking that anybody who believes they were targeted to reach out. While the feds — where was the NSA? — are not the ones who broke the story, U.S. intelligence agencies are no doubt involved now.

What to do?

A page on the Hold research site say: “Don’t panic. Try to strategize.”

More information:

Powered by VBProfiles

59 comments
Brady Swenson
Brady Swenson

Privacy is dead. Time to embrace radical transparency.

Kathy McEwen
Kathy McEwen

So has my email be hacked ? Passwords stolen???

Owen Brunette
Owen Brunette

It reads as just another nonsense security story from a PR person at a security company. This one called Hold Security's. The NYT went a long with it maybe because Russian things are spicy this week, or somebody somewhere in the chain was fed the story this week for more foreign policy reasons. The actual story is about somebody buying a lot of passwords and doing some messing about to try to get more. It's been exaggerated in the telling along the way to be fortune 500 companies and over a billion people.

William Su
William Su

All your password are belong to us... Nooooo

Satyajit Paul
Satyajit Paul

Now they all set to start a paid service called "forgot password?"

Vladimir Tepeš
Vladimir Tepeš

why? Isn't the biggest heist ever the one which the NSA is doing? #justaskin

Seth Goldstein
Seth Goldstein

So is there a website to check if you're at risk?

Myron Hawrylak
Myron Hawrylak

Missed this one, eh NSA and facebook? What's the good of yah?

Bilal Ahmed
Bilal Ahmed

its a way to create mob n put hate in americans mind i can;t believe that CIA had been unaware of this massive attack *sigh*

Blaze Di Vibrations
Blaze Di Vibrations

Or they might have privately contacted the sites that were infiltrated,and because of their discreet manner they might just might land a contract with them .No one wants to spook the consumers they are the biggest factor to whether the any business thrives or dies.

Matty Johnson
Matty Johnson

Why would they use the apple icloud logo in this, apple will sue! They r crazy town.

Pete Hernandez
Pete Hernandez

This story is worthless if you don't name websites. It's propaganda that feeds the fear machine. Implying apple was compromised with no facts to support the claim is teetering on libel.

Saleh Deo Duce
Saleh Deo Duce

If they are russian they are called gangs... If they are the american government we call them protective services.....

Ben Cheong
Ben Cheong

Is this article suppose to make us hate the Russians? Maybe sort of brainwash us into they are all at fault here?

Irshu EK
Irshu EK

1.2B passwords? thats whole internet

Matthew Baker
Matthew Baker

Ivo Christiaan Vermeulen you've been taken by ruskies!

Tony King
Tony King

Why would the Russian Goverment be behind this in the first place? Why would this suggestion even be floated?

Michael Dieckmann
Michael Dieckmann

Russia stock exchange loses $1.000.000.000.000 this year so far ... maybe fear, corruption and war is not the best way for the people - have fun with my email!

Marcel Scouten
Marcel Scouten

Why worry about it, if you have a two-step verification process set up on your log in then there should be no issue even if they have your User and Password.

Wes Upchurch
Wes Upchurch

Strange that they don't name a single site that was hacked. Think maybe Holden Security is just trying to sell their service through fear mongering?

Marc Giombetti
Marc Giombetti

And this is why you should use 2 factor authentication!

Lisa Mayumi Reyes
Lisa Mayumi Reyes

i have been a victim, several times, FB IT are trained for this,

David M Taylor
David M Taylor

Pissofsky and enjoy your new decadent life ..with all those email accounts ..loosers

Diana Scholten
Diana Scholten

Grat post, l just shared it on my Commentrix FB Page. Thank you!

Kenneth Brøgger-Luplau
Kenneth Brøgger-Luplau

There are 3B Internet users world wide, so if everyone only have a single password for their whole digital life, then the number would be 3B passwords. But as you know, you should have a password per web service you use... then that number is alot higher.