Russian crime ring steals largest stockpile of user name, password combos; 1.2 billion online users affected
Photo: Image by Getty Images
An independent crime ring in Russia has stolen and stockpiled 1.2 billion user name and password combinations, including 500 million email addresses. This is the largest known collection of stolen Internet identities.
The Milwaukee firm, Hold Security, gathered the startling information about the theft after 420,000 websites were hacked for private user information.
According to The New York Times, “Hackers did not just target U.S. companies, they targeted any website they could get, ranging from Fortune 500 companies to very small websites,” said Alex Holden, founder and chief information security officer of Hold Security. “And most of these sites are still vulnerable.”
“There is a division of labor within the gang,” Holden shares with The New York Times. “Some are writing the programming, some are stealing the data. It’s like you would imagine a small company; everyone is trying to make a living.” This collective group of criminals is said to have begun in 2011 as amateur spammers.
Most of the collected records have not yet been sold, but instead, the stolen log-in information has been used to tap into social media networks, such as Twitter, to spam accounts.
"The Russian hackers have been able to capture credentials on a mass scale using botnets — networks of zombie computers that have been infected with a computer virus — to do their bidding," reports The New York Tmes. "Any time an infected user visits a website, criminals command the botnet to test that website to see if it is vulnerable to a well-known hacking technique known as an SQL injection, in which a hacker enters commands that cause a database to produce its contents. If the website proves vulnerable, criminals flag the site and return later to extract the full contents of the database."
The New York Times further explains, "By July, criminals were able to collect 4.5 billion records — each a user name and password — though many overlapped. After sorting through the data, Hold Security found that 1.2 billion of those records were unique." Adds the Times, "Because people tend to use multiple emails, they filtered further and found that the criminals’ database included about 542 million unique email addresses."
Holden is hoping to contact each victimized company through his security firm. He is also working to create a secure website for the general public, to allow them access to the database to see if their own information was, in fact, stolen.