The numbers are getting so large as to be absurd. A clutch of Russian hackers has collected 1.2 billion stolen username and password combinations, and more than 500 million e-mail addresses from attacks on 420,000 websites around the world.
What’s a hack-saturated public to do?
Security pros say we know the drill: Change passwords, and craft a different one for each account. Monitor bank and other account statements. Beware of the inevitable phishing e-mails notifying people they’ve been affected and offering help, with links to click on, and so on.
It’s tempting to brush off the latest disclosure as “just one more story of hackers and ‘There’s nothing I can do and nobody’s going to go after me anyway,’ ” said Mark Lanterman, chief technology officer at Computer Forensic Services in Minnetonka.
“We’re exactly the people who are going to be victimized by this,” Lanterman said. “People should take this seriously.”
Unlike the costly monster breach at Minneapolis-based Target Corp., in which crooks sucked up streams of actual payment card information, this stockpile involves Internet credentials and e-mail addresses. The most obvious use for the information is spamming, according to Brian Krebs, the security reporter at KrebsonSecurity.com who broke the news last year of Target’s attack.
The credentials are valuable to spammers who want it to distribute malware and junk mail, sometimes from the victim accounts themselves, he said.
“Spam, spam and … oh, spam,” Krebs wrote in his Wednesday blog.
“Spam is such a core and fundamental component of any large-scale cybercrime operation that I spend the last four years writing an entire book about it,” Krebs said.
Krebs vouched for Alex Holden, the head of Milwaukee-based Hold Security who revealed the trove of account credentials in a New York Times story on Tuesday, adding that Holden has been “central” to several of his big scoops over the past year.
One of those was the huge breach at Adobe Systems Inc. last year in which a total of 152 million different pieces of data, mostly customer information, were taken.
Holden could not be reached Wednesday.
Hold Security’s website promoted its findings with a bright red alert on its home page proclaiming: “Hold Security uncovers the largest ever security breach! Over one billion of stolen credentials to thousands of websites!”
The company’s alert goes on to say it pinpointed an unnamed Russian cybergang after seven months of research. The group ultimately used information from botnets, or networks of large numbers of computers that hackers have taken over, to find more than 400,000 websites that were potentially vulnerable to SQL injection attacks. Then they used the hacking technique to swipe information.
Holden told the New York Times that he couldn’t name the companies due to nondisclosure agreements. But he said they include Fortune 500 companies. The alert on his company’s website said “the list includes many leaders in virtually all industries across the world, as well as a multitude of small or even personal websites.”
The Hold Security alert goes on to offer its services to affected companies and individuals. Its breach notification service for companies, for instance, starts at $120 a year.
Lanterman objected to what he perceived as a security company taking advantage of a threat. “I just think that’s tacky,” he said.
Hold Security’s report came as the information security industry gathers in Las Vegas for the Black Hat, Defcon and BSides conferences, and some professionals were speculating whether Holden’s timing indicated a publicity stunt.
Joshua Carlson, a Minneapolis data security attorney who was a former information technology security consultant at Best Buy Co. Inc., questioned whether Holden should have come forward earlier.
“When did they know about this surreptitious activity occurring?” he asked. “Did they know at 200 million? Were they not telling anyone?”
Jeff Hall, a senior security consultant in the Twin Cities for FishNet Security, said he questions how useful the stolen credentials are because companies frequently encrypt customer passwords or protect them in some other fashion. Hall said the reports he has read haven’t specified whether the stolen passwords are open and clear. Plus, some information is likely outdated.
Nonetheless, the public should brace for a wave of junk mail, he said. The crooks will probably sell the information to legitimate mass marketers too, he said.
“What does kind of take me aback is the sheer volume of consolidated user credentials,” said Lanterman. 1.2 billion username and password combinations “is a mind-boggling number.”