Application Security // Database Security
07:15 PM
Sara Peters
Sara Peters
Quick Hits
Connect Directly

Biggest Cache of Stolen Creds Ever Includes 1.2 Billion Unique Logins

A Russian crime ring has swiped more than a billion unique username-password combinations, plus a half-million email addresses.

A Russian crime ring has amassed a gargantuan database of pilfered login credentials, including 1.2 billion unique username-password combinations and 542 million email addresses, Hold Security of Milwaukee said today. This makes it the largest known collection of stolen credentials to date.

According to Hold Security, the attackers used a botnet to hunt for sites vulnerable to SQL injection hacks. They compromised roughly 420,000 websites and lifted 4.5 billion username-password combinations in all; after eliminating duplicates, the number drops down to a no-less-impressive 1.2 billion unique login combos. Hold Security has not released the names of the victim sites.

What's puzzling is that the criminals have not put this goliath database to great use so far. They are not selling the records. They're merely using them to operate a spammer-for-hire service. Nevertheless, the incident underlines the persistent troubles of lax website security, inadequate monitoring, and single-factor authentication.

"At this stage of the game, using passwords for security is simply table stakes," David Rockvam, vice president of product management and marketing communications for Entrust, told us. "In order to truly protect our personal and financial information, second-factor authentication is a necessity."

Some companies "are not being proactive enough about security; therefore, they are ill equipped to detect these types of breaches," said Jay Kaplan, CEO of Synack. "In fact, it's likely that most of them do not even realize how many times they've been compromised, as it's very challenging to track compromises when you do not have a continuous security cycle to test against and prevent these types of attacks."

"Today, we have learned of a huge issue where it seems like billion passwords were stolen overnight," said John Prisco, CEO of Triumfant, "but in reality... crime rings have been stealing information for years. They've just been doing it undetected, because there hasn't been a concerted effort on the part of companies entrusted with this information to protect it. Vendors haven't delivered a truly defensive product until recently. For so many years, we've relied on antivirus, which just doesn"t work. Vendors are in a transition period where the most effective products are not yet widely deployed."

Hold Security's researchers do not believe the attackers are politically motivated or have any connection with the Russian government. Russian entities were among the websites compromised.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
User Rank: Apprentice
8/28/2014 | 3:17:15 PM
Scary if true
While some people may be skeptical becasue the company won't divulge how they got the information that might be more due to the fact if they did someone is going to get a lot of attention from Russian criminals. However the part where the company now offers a service to tell you if you're on the list isn't doing their reputation any favors given what they are charging for a search of a single login on a list they already have. If true though, very scary as someone who has to rely on several companies to keep my info secure.
Steve Riley
Steve Riley,
User Rank: Author
8/15/2014 | 3:44:47 PM
Count me skeptical
A lot of people are beginning to question the veracity of this story. For example, The Lie Behind 1.2 Billion Stolen Passwords:

Let's look at the warning signs right off the bat:

  • Announces 4 billion passwords have been taken across 420,000 websites
  • Makes zero indication on how he learned this or how he obtained the output of 420,000 website's U/P data
  • Unbiased sources who have met Holden describe him as a generally acceptable individual with an aggressive approach to establishing clients. Chris Roberts, founder of Denver's One World Labs, said that Holden "[...] has gone off and done his own thing [...] he has his way of doing it — very different than mine"
  • Refuses to indicate any of the sites compromised so that users can change their passwords as "there is an ongoing investigation"
  • No law enforcement agencies (local, state, or federal) have corroborated that they are investigating
  • Explains that he knows the names and locations of these hackers but not the group they are affiliated with
  • Offers a for-pay service for individuals and companies to see if their data is being compromised which is odd because that generally doesn't happen during an investigation
  • Lied about where he went to school and graduated — the 2001 engineering degree from the University of Wisconsin-Milwaukee? That never happened as Holden never graduated.
  • Released information specifically during BlackHat for maximum attention when a very similar story was released in February by Hold Security.
  • Individuals quickly chimed in with similar-but-different ulterior motives: Chase Cunningham and Brian Krebs
  • Lacking a name for the criminal group, Holden simply references them as CyberVor — Vor meaning "thief" in Russian.
  • States that the "group" purchased large numbers of U/P lists; however, makes zero indication where the stolen content ends and the bought content begins.

Forbes: Firm That Exposed Breach Of 'Billion Passwords' Quickly Offered $120 Service To Find Out If You're Affected

The Verge: The Russian 'Hack of the Century' Doesn't Add Up

IT World: Massive Russian Hack Has Researchers Scratching Their Heads

Bruce Schneier: Over a Billion Passwords Stolen?

As expected, the hype is pretty high over this. But from the beginning, the story didn't make sense to me. There are obvious details missing: are the passwords in plaintext or encrypted, what sites are they for, how did they end up with a single criminal gang? The Milwaukee company that pushed this story, Hold Security, isn't a company that I had ever heard of before. (I was with Howard Schmidt when I first heard this story. He lives in Wisconsin, and he had never heard of the company before, either.) The New York Times writes that "a security expert not affiliated with Hold Security analyzed the database of stolen credentials and confirmed it was authentic," but we're not given any details. This felt more like a PR story from the company than anything real.

And a decent Reddit thread

Robert McDougal
Robert McDougal,
User Rank: Ninja
8/11/2014 | 11:43:22 AM
Re: Self-serving
I think Hold Security is just trying for headlines and money here.  They will not disclose how they discovered the credentials but for $120/ year they will let you know if you are on the list.  Sounds fishy to me.
User Rank: Apprentice
8/7/2014 | 4:17:05 PM
Re: Self-serving
They are not asking you for your password. They are asking you for a Hash of your password, which they can then use to check if someone else has your password.
User Rank: Apprentice
8/6/2014 | 4:48:23 PM
Re: Self-serving
I find it more interesting that Hold is going to offer a service to allow individuals to pay (based on other reports) to determine if you were compromised. The Hold webpage indicates that they even plan to ask for your passwords for this service.

"We have developed a secure methodology for you to share with us a very strong (SHA512) cryptographic representation of your passwords for verification."

What happened to security rule #1 being "don't give out your passwords" and now the people who are supposedly security exports are planning to ask for all of everyones passwords as part of their service. Any respect I had for Hold, just went out the window.
User Rank: Apprentice
8/6/2014 | 3:58:22 PM
My last pay check was $9500 working 12 hours a week online. My sisters friend has been averaging 15k for months now and she works about 20 hours a week. I can't believe how easy it was once I tried it out. This is what I do,





User Rank: Strategist
8/6/2014 | 11:03:57 AM
Re: SQL injection attacks?
how's asp classic is any worse than java?

a good framework helps, but the biggest problem is the dynamic sql - concatenated in code from strings such as "select ... where col1 = '" & var1 & "' and col2 = '" and so on.

as long as you keep your sql in stored procedures, and set up the access correctly, you should be ok.

but it takes a lot of planning and dedication to keep the database access under control. it is so much easier for a programmer to just create that select on the fly, and for the manager to keep a blind eye to it.

so sql injection will live on.
User Rank: Ninja
8/6/2014 | 10:36:39 AM
Re: SQL injection attacks?
Mainly old sites that were not re-developed with the latest frameworks. If we are still using ASP pages of course that would be a good option for black hats to try and exercise their skills.
User Rank: Ninja
8/6/2014 | 10:33:21 AM
Re: a billion credentials is stolen
They may not end up with anything but this shows there are good amount of sites out there that are vulnerable to SQL injections.
User Rank: Ninja
8/6/2014 | 10:31:26 AM
Not the number of records

The amount is huge and that make is impressive, however if you total last the breaches that will go beyond that, most of the time it is not the number of record it is what they end up with. Most passwords in most system are hashed, if a good algorithm is used it will take time for them to get the password and it may not even be worth after a while.
Page 1 / 2   >   >>
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Changing Face of Identity Management
Mobility and cloud services are altering the concept of user identity. Here are some ways to keep up.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio

The cybersecurity profession struggles to retain women (figures range from 10 to 20 percent). It's particularly worrisome for an industry with a rapidly growing number of vacant positions.

So why does the shortage of women continue to be worse in security than in other IT sectors? How can men in infosec be better allies for women; and how can women be better allies for one another? What is the industry doing to fix the problem -- what's working, and what isn't?

Is this really a problem at all? Are the low numbers simply an indication that women do not want to be in cybersecurity, and is it possible that more women will never want to be in cybersecurity? How many women would we need to see in the industry to declare success?

Join Dark Reading senior editor Sara Peters and guests Angela Knox of Cloudmark, Barrett Sellers of Arbor Networks, Regina Wallace-Jones of Facebook, Steve Christey Coley of MITRE, and Chris Roosenraad of M3AAWG on Wednesday, July 13 at 1 p.m. Eastern Time to discuss all this and more.