Application Security // Database Security
8/5/2014
07:15 PM
Sara Peters
Sara Peters
Quick Hits
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Biggest Cache of Stolen Creds Ever Includes 1.2 Billion Unique Logins

A Russian crime ring has swiped more than a billion unique username-password combinations, plus a half-million email addresses.

A Russian crime ring has amassed a gargantuan database of pilfered login credentials, including 1.2 billion unique username-password combinations and 542 million email addresses, Hold Security of Milwaukee said today. This makes it the largest known collection of stolen credentials to date.

According to Hold Security, the attackers used a botnet to hunt for sites vulnerable to SQL injection hacks. They compromised roughly 420,000 websites and lifted 4.5 billion username-password combinations in all; after eliminating duplicates, the number drops down to a no-less-impressive 1.2 billion unique login combos. Hold Security has not released the names of the victim sites.

What's puzzling is that the criminals have not put this goliath database to great use so far. They are not selling the records. They're merely using them to operate a spammer-for-hire service. Nevertheless, the incident underlines the persistent troubles of lax website security, inadequate monitoring, and single-factor authentication.

"At this stage of the game, using passwords for security is simply table stakes," David Rockvam, vice president of product management and marketing communications for Entrust, told us. "In order to truly protect our personal and financial information, second-factor authentication is a necessity."

Some companies "are not being proactive enough about security; therefore, they are ill equipped to detect these types of breaches," said Jay Kaplan, CEO of Synack. "In fact, it's likely that most of them do not even realize how many times they've been compromised, as it's very challenging to track compromises when you do not have a continuous security cycle to test against and prevent these types of attacks."

"Today, we have learned of a huge issue where it seems like billion passwords were stolen overnight," said John Prisco, CEO of Triumfant, "but in reality... crime rings have been stealing information for years. They've just been doing it undetected, because there hasn't been a concerted effort on the part of companies entrusted with this information to protect it. Vendors haven't delivered a truly defensive product until recently. For so many years, we've relied on antivirus, which just doesn"t work. Vendors are in a transition period where the most effective products are not yet widely deployed."

Hold Security's researchers do not believe the attackers are politically motivated or have any connection with the Russian government. Russian entities were among the websites compromised.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
kstaron
50%
50%
kstaron,
User Rank: Apprentice
8/28/2014 | 3:17:15 PM
Scary if true
While some people may be skeptical becasue the company won't divulge how they got the information that might be more due to the fact if they did someone is going to get a lot of attention from Russian criminals. However the part where the company now offers a service to tell you if you're on the list isn't doing their reputation any favors given what they are charging for a search of a single login on a list they already have. If true though, very scary as someone who has to rely on several companies to keep my info secure.
Steve Riley
50%
50%
Steve Riley,
User Rank: Author
8/15/2014 | 3:44:47 PM
Count me skeptical
A lot of people are beginning to question the veracity of this story. For example, The Lie Behind 1.2 Billion Stolen Passwords:

Let's look at the warning signs right off the bat:

  • Announces 4 billion passwords have been taken across 420,000 websites
  • Makes zero indication on how he learned this or how he obtained the output of 420,000 website's U/P data
  • Unbiased sources who have met Holden describe him as a generally acceptable individual with an aggressive approach to establishing clients. Chris Roberts, founder of Denver's One World Labs, said that Holden "[...] has gone off and done his own thing [...] he has his way of doing it — very different than mine"
  • Refuses to indicate any of the sites compromised so that users can change their passwords as "there is an ongoing investigation"
  • No law enforcement agencies (local, state, or federal) have corroborated that they are investigating
  • Explains that he knows the names and locations of these hackers but not the group they are affiliated with
  • Offers a for-pay service for individuals and companies to see if their data is being compromised which is odd because that generally doesn't happen during an investigation
  • Lied about where he went to school and graduated — the 2001 engineering degree from the University of Wisconsin-Milwaukee? That never happened as Holden never graduated.
  • Released information specifically during BlackHat for maximum attention when a very similar story was released in February by Hold Security.
  • Individuals quickly chimed in with similar-but-different ulterior motives: Chase Cunningham and Brian Krebs
  • Lacking a name for the criminal group, Holden simply references them as CyberVor — Vor meaning "thief" in Russian.
  • States that the "group" purchased large numbers of U/P lists; however, makes zero indication where the stolen content ends and the bought content begins.

Forbes: Firm That Exposed Breach Of 'Billion Passwords' Quickly Offered $120 Service To Find Out If You're Affected

The Verge: The Russian 'Hack of the Century' Doesn't Add Up

IT World: Massive Russian Hack Has Researchers Scratching Their Heads

Bruce Schneier: Over a Billion Passwords Stolen?

As expected, the hype is pretty high over this. But from the beginning, the story didn't make sense to me. There are obvious details missing: are the passwords in plaintext or encrypted, what sites are they for, how did they end up with a single criminal gang? The Milwaukee company that pushed this story, Hold Security, isn't a company that I had ever heard of before. (I was with Howard Schmidt when I first heard this story. He lives in Wisconsin, and he had never heard of the company before, either.) The New York Times writes that "a security expert not affiliated with Hold Security analyzed the database of stolen credentials and confirmed it was authentic," but we're not given any details. This felt more like a PR story from the company than anything real.

And a decent Reddit thread

Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
8/11/2014 | 11:43:22 AM
Re: Self-serving
I think Hold Security is just trying for headlines and money here.  They will not disclose how they discovered the credentials but for $120/ year they will let you know if you are on the list.  Sounds fishy to me.

http://tech.firstpost.com/news-analysis/one-billion-password-theft-firm-wants-users-to-pay-120-to-know-if-their-account-was-compromised-228573.html
Dolos.Apate
50%
50%
Dolos.Apate,
User Rank: Apprentice
8/7/2014 | 4:17:05 PM
Re: Self-serving
They are not asking you for your password. They are asking you for a Hash of your password, which they can then use to check if someone else has your password.

http://en.wikipedia.org/wiki/Cryptographic_hash_function
briancobbler
100%
0%
briancobbler,
User Rank: Apprentice
8/6/2014 | 4:48:23 PM
Re: Self-serving
I find it more interesting that Hold is going to offer a service to allow individuals to pay (based on other reports) to determine if you were compromised. The Hold webpage indicates that they even plan to ask for your passwords for this service.

"We have developed a secure methodology for you to share with us a very strong (SHA512) cryptographic representation of your passwords for verification."

What happened to security rule #1 being "don't give out your passwords" and now the people who are supposedly security exports are planning to ask for all of everyones passwords as part of their service. Any respect I had for Hold, just went out the window.

http://www.holdsecurity.com/news/cybervor-breach/
marklfeller
0%
100%
marklfeller,
User Rank: Apprentice
8/6/2014 | 3:58:22 PM
asada
My last pay check was $9500 working 12 hours a week online. My sisters friend has been averaging 15k for months now and she works about 20 hours a week. I can't believe how easy it was once I tried it out. This is what I do,

 

 

=======================

WWW.JOBS606.COM

======================= 
prospecttoreza
50%
50%
prospecttoreza,
User Rank: Apprentice
8/6/2014 | 11:03:57 AM
Re: SQL injection attacks?
how's asp classic is any worse than java?

a good framework helps, but the biggest problem is the dynamic sql - concatenated in code from strings such as "select ... where col1 = '" & var1 & "' and col2 = '" and so on.

as long as you keep your sql in stored procedures, and set up the access correctly, you should be ok.

but it takes a lot of planning and dedication to keep the database access under control. it is so much easier for a programmer to just create that select on the fly, and for the manager to keep a blind eye to it.

so sql injection will live on.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
8/6/2014 | 10:36:39 AM
Re: SQL injection attacks?
Mainly old sites that were not re-developed with the latest frameworks. If we are still using ASP pages of course that would be a good option for black hats to try and exercise their skills.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
8/6/2014 | 10:33:21 AM
Re: a billion credentials is stolen
They may not end up with anything but this shows there are good amount of sites out there that are vulnerable to SQL injections.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
8/6/2014 | 10:31:26 AM
Not the number of records
 

The amount is huge and that make is impressive, however if you total last the breaches that will go beyond that, most of the time it is not the number of record it is what they end up with. Most passwords in most system are hashed, if a good algorithm is used it will take time for them to get the password and it may not even be worth after a while.
Page 1 / 2   >   >>
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Must Reads - September 25, 2014
Dark Reading's new Must Reads is a compendium of our best recent coverage of identity and access management. Learn about access control in the age of HTML5, how to improve authentication, why Active Directory is dead, and more.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2003-1598
Published: 2014-10-01
SQL injection vulnerability in log.header.php in WordPress 0.7 and earlier allows remote attackers to execute arbitrary SQL commands via the posts variable.

CVE-2011-4624
Published: 2014-10-01
Cross-site scripting (XSS) vulnerability in facebook.php in the GRAND FlAGallery plugin (flash-album-gallery) before 1.57 for WordPress allows remote attackers to inject arbitrary web script or HTML via the i parameter.

CVE-2012-0811
Published: 2014-10-01
Multiple SQL injection vulnerabilities in Postfix Admin (aka postfixadmin) before 2.3.5 allow remote authenticated users to execute arbitrary SQL commands via (1) the pw parameter to the pacrypt function, when mysql_encrypt is configured, or (2) unspecified vectors that are used in backup files gene...

CVE-2012-5485
Published: 2014-09-30
registerConfiglet.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via unspecified vectors, related to the admin interface.

CVE-2012-5486
Published: 2014-09-30
ZPublisher.HTTPRequest._scrubHeader in Zope 2 before 2.13.19, as used in Plone before 4.3 beta 1, allows remote attackers to inject arbitrary HTTP headers via a linefeed (LF) character.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Chris Hadnagy, who hosts the annual Social Engineering Capture the Flag Contest at DEF CON, will discuss the latest trends attackers are using.