Monitor your inbox and change passwords in light of Russian hack attack.
FILE - In this file photo taken Friday, Jan. 15, 2010, people use computers at an Internet cafe in Fuyang in central China's Anhui province. This week's news that a Russian crime ring has amassed some 1.2 billion username and password combinations makes now a good time to review ways to protect yourself online.
The numbers are getting so large as to be absurd. A clutch of Russian hackers has collected 1.2 billion stolen username and password combinations, and more than 500 million e-mail addresses from attacks on 420,000 websites around the world.
What’s a hack-saturated public to do?
Security pros say we know the drill: Change passwords, and craft a different one for each account. Monitor bank and other account statements. Beware of the inevitable phishing e-mails notifying people they’ve been affected and offering help, with links to click on, and so on.
It’s tempting to brush off the latest disclosure as “just one more story of hackers and ‘There’s nothing I can do and nobody’s going to go after me anyway,’ ” said Mark Lanterman, chief technology officer at Computer Forensic Services in Minnetonka.
“We’re exactly the people who are going to be victimized by this,” Lanterman said. “People should take this seriously.”
Unlike the costly monster breach at Minneapolis-based Target Corp., in which crooks sucked up streams of actual payment card information, this stockpile involves Internet credentials and e-mail addresses. The most obvious use for the information is spamming, according to Brian Krebs, the security reporter at KrebsonSecurity.com who broke the news last year of Target’s attack.
The credentials are valuable to spammers who want it to distribute malware and junk mail, sometimes from the victim accounts themselves, he said.
“Spam, spam and … oh, spam,” Krebs wrote in his Wednesday blog.
“Spam is such a core and fundamental component of any large-scale cybercrime operation that I spend the last four years writing an entire book about it,” Krebs said.
Krebs vouched for Alex Holden, the head of Milwaukee-based Hold Security who revealed the trove of account credentials in a New York Times story on Tuesday, adding that Holden has been “central” to several of his big scoops over the past year.
One of those was the huge breach at Adobe Systems Inc. last year in which a total of 152 million different pieces of data, mostly customer information, were taken.
Holden could not be reached Wednesday.
Hold Security’s website promoted its findings with a bright red alert on its home page proclaiming: “Hold Security uncovers the largest ever security breach! Over one billion of stolen credentials to thousands of websites!”
The company’s alert goes on to say it pinpointed an unnamed Russian cybergang after seven months of research. The group ultimately used information from botnets, or networks of large numbers of computers that hackers have taken over, to find more than 400,000 websites that were potentially vulnerable to SQL injection attacks. Then they used the hacking technique to swipe information.
Holden told the New York Times that he couldn’t name the companies due to nondisclosure agreements. But he said they include Fortune 500 companies. The alert on his company’s website said “the list includes many leaders in virtually all industries across the world, as well as a multitude of small or even personal websites.”
The Hold Security alert goes on to offer its services to affected companies and individuals. Its breach notification service for companies, for instance, starts at $120 a year.
Lanterman objected to what he perceived as a security company taking advantage of a threat. “I just think that’s tacky,” he said.