An August 5th report from Hold Security, a private security firm in Milwaukee, alleged that a Russian gang of hackers stole the personal data of more than half a billion people. Experts at Hold Security estimate that 420,000 web and FTP sites were accessed by the hackers in order to compile the largest-known database of stolen credentials to date. They’ve dubbed the gang responsible “CyberVor”–“Vor” means “thief” in Russian– and have detailed how this occurred in this website article.
According to the website article, they say it took over 7 months for them to confirm the gigantic scale of this criminal gang’s activity in what they call the largest data breach ever.
So, how did it happen? Hold says that initially, the gang acquired databases of stolen credentials from fellow hackers on the black market. More recently, however, the gang changed up their method of attack and began to use botnets to affect thousands and thousands of computers with infected software that allows them to remotely control the victimized computers. While Hold won’t release any of the website domains that appear to have been hacked, they do say that size was not a factor in the gang’s targeting.
How widespread were these attacks? Hold estimates that over 1.2 billion unique sets of credentials (username and password) and 500,000 email addresses have been cataloged so far. The sheer size of this collection is impressive and may point to a new trend in which cybercriminals amassing web credentials for later use. The only known use of the credentials so far seems to be sending spam on social media accounts (We’ve all gotten those Facebook messages).
After the initial shock of Hold’s announcement, however, some began to meet the firm’s claims with suspicion. Newer reports, as pointed out by this article from Business Insider, call both Hold’s intentions and their decision to not reveal exactly which websites were targeted into question. The firm also got some slack from Forbes for charging individuals a $120 subscription fee to use their website to see if “you’ve been hacked.”
As we await any more clarity regarding the Hold Security revelation, we offer these best practices to protect your systems in this environment:
- Robust password policies. We recommend that passwords be changed every 3 to 6 months, prohibition of password reuse, and strong passwords of at least 8 characters including 1 upper case, 1 lower case and 1 digit.
- Use of different passwords for different services. Users who use the same password for all accounts are at risk. If their password is hacked at an unimportant and insecure service, their important accounts are at risk.
- Vulnerability analysis. Review your own web services to make sure your applications are not at risk. Per the reports from Hold, SQL injection attacks, one of the most common, were used for the majority of the hacks. We recommend security reviews to screen for any weaknesses listed in the OWASP Top 10 which include SQL injection and other common vulnerabilities.
None of these are new or novel suggestions. Eagle has recommended these to clients for years. However, the revelations from Hold Security elevate the priority of consistent implementation of these best practices.
