Russian Hacking Gang Captures 1.2 Billion Credentials: What You Should Do

What do you get when you cross a dozen Russian criminal hackers with 420,000 websites with an SQL injection vulnerability? You get 4.5 billion compromised user records in the hands of those hackers.

On Tuesday, the New York Times reported that Hold Security of Milwaukee, Wisconsin discovered a database filled with stolen credentials. Alex Holden, chief information security officer of Hold Security tracked down the source of the stolen credentials to a small hacking ring of just under a dozen 20-something year old men, based out of south central Russia. He dubbed the group “CyberVor”.

Holden explained that the “hacking gang” consisted of a team of young men, each with his own role – some writing programs, others working to extract the credentials from the data. The entire outfit operates like an actual business.

The Russian Hacking Gang

According to Holden, CyberVor got started in 2011 as a team of spammers. The business plan then was to purchase stolen contact information off the black market in order to sent out mass spam emails for clients. Over the next few years, the team of criminal entrepreneurs built up a bot-net – a massive network of computers infected with a virus that allows them to be utilized for sending out the spam blasts.

bot net1   Russian Hacking Gang Captures 1.2 Billion Credentials: What You Should Do

Over time, the team utilized its bot-net to test for which websites were vulnerable to an SQL injection hacking attack. Once a list of websites were compiled, the team then set to work running the hack on the site and extracting the full contents of the database stored there.

With access to the database, the group was able to compile the 4.5 billion records, which turned out to contain a grand total of 1.2 billion unique user name and password credentials, and 542 million unique email addresses.

What This Means

If you think that you could go unscathed from this particular security threat, think again. Considering that there are currently just under 3 billion Internet users in the world, a breach of 1.2 billion unique username and password credentials represents a record-breaking success on the part of the criminal hackers, and it also means that your credentials are very likely at risk.

Orla Cox, the Director of Security Response for Symantec told NPR news that the safest approach to this is to assume that your credentials are compromised.

“I think all Internet users should assume they’ve been impacted by this. Clearly these aren’t opportunists, they aren’t hobbyists. These are full time cyber-criminals they have been likely carrying this out for a number of months, maybe even years.”

How do you know if any of your credentials have been affected? Unfortunately, you don’t – not until Hold Security publishes its online tool that will allow you to test whether your own information is in the database.

Meanwhile, Hold Security is capitalizing on the breach by building a suite of services intended to help website owners and Internet users manage the threat from this hacker gang. Those services include the following:

  • Breach Notification Service (BNS) – Alerts you if your site has been impacted by this breach or any other security breach. Cost: $120/year
  • Pen Testing and Audit Services – Will audit your site and find any vulnerabilities. No price listed.
  • Credentials Integrity Service – Notifies you if any of your website users have had credentials compromised. No price listed.
  • Electronic Identity Monitoring Service – Meant for individuals who want to know if their electronic identity is vulnerable or compromised. Pre-registration is available, as the service is under development.

What You Should Do

Of course, the cheapest approach to writing a check to Hold Security to tell you if you’ve been affected, is to simply change all of your passwords. While this may be annoying to do, so close on the heels of the Heartbleed fiasco just a few months ago, it’s really the only sure bet you have to secure your accounts. The problem of course, is that you can’t really do that until you know the websites you use are not vulnerable to SQL Injection.

bot net2   Russian Hacking Gang Captures 1.2 Billion Credentials: What You Should Do

If you want to determine whether the websites you use to access your accounts are safe or not, then you’ll need a way to know if they are safe from SQL Injection attacks – the weapon of choice for this particular Russian hacker gang.

Thankfully, it’s pretty easy to check if a site is vulnerable to that particular hack.  All you need to do is find a page on the site that loads dynamically from the backend database. This is pretty easy with a PHP-based site by looking for URL’s structured with the query, like this: “http://www.website.com/page.php?id=32″

A quick test for SQL Injection vulnerability is appending a single quote at the very end of the line. If the web page still loads fine, then the site is secure from this attack. If it returns an “SQL query failed” error, then the site is vulnerable, and you should assume that your data that’s stored there has been compromised.

By appending a to the URL, you’re testing whether you could add additional SQL parameters to trigger a more invasive SQL command.

If you discover the website is safe, then go ahead and change your passwords there. If you see that it is still vulnerable to an SQL Injection attack, then avoid changing your credentials, and instead contact the website owner and inform them of the vulnerability.

While You’re At It…

While you’re going around and changing your passwords on all of the secured sites, consider the following guidelines.

  • Is your password truly unique and strong? Make sure to check out our many articles with password generation tips.
  • Use a Password Manager and make sure your password is different for every single site you use. Try using a password generator for each site.
  • I repeat: Use a unique password for every site!

Beyond password management, there’s another creative approach that lets you actually “get back” at the hackers. This involves making sure that all of your online accounts contain false information — bogus addresses, phone numbers and email addresses. This way, whenever this kind of breach happens, you can just laugh it off, because all of the personal contact info – especially the email which is usually stripped out for spamming purposes – is a complete dud to the hacker.

Obviously, that approach wouldn’t work for a financial site that usually requires confirmed identification, but one would hope that financial websites are far enough ahead of the security curve to be more than safe from something like an SQL Injection hack.

In light of the size and scope of this latest attack, are you concerned about your private information? Do you have any plans to deal with it? Share your thoughts in the comments section below!

Source:New York Times
Image Credits: Invisible man Via Shutterstock, kentoh / Shutterstock

38 Comments - Write a Comment

1 votes
Reply

dragonmouth

Has this been independently verified by anybody else or do we just have the word of Holden Security? It is interesting that only Holden can provide the answers and tools to take care of this problem. How do we know Holden is not running a scam just to drum up business? We have all heard about A/V scanners that find either non-existent viruses or viruses the scanner installed.

0 votes

me

the New York Times is pretty good at fact-checking their stories.

0 votes

dragonmouth

NYT does not strike me as an authority on computer security.

By “independently verified” I mean Symantec, Sophos or some other computer security company.

1 votes
Reply

Ronen

My problem with this story is that out of the blue some obscure security expert, Alex Holden (Hold security), comes out with a story about an obscure team of hackers who stole over billion passwords from (again) obscure websites, and nobody stops and check the facts ? Sounds like a publicity stunt Mr. Holden is pulling, to get clients for his company.

1 votes
Reply

Ryan D

That was my first thought when looking at Holden’s comments and then spotting all those services he’s peddling to “help” everyone (as revealed in this article). I agree with you both entirely.

0 votes

Ishan

The original New York Times article does mentions that NY Times got the database verified by an independent expert. They also mention that Hold Security is the same company that reported data breach at Adobe. So, it does sounds legitimate.

0 votes

dragonmouth

“So, it does sounds legitimate.”
To be successful, a scam must sound legitimate.

Usually when a new security threat or a breach has been discovered, there are reports from multiple security providers with names better known than Holden Security. When Target was breached or when Heartbleed was discovered, there were follow up stories almost daily for days. Since NYT reported this a few days ago, there has been no further news. With so many users and so many sites supposedly affected, I would have expected a media frenzy. Instead all we get is deafening silence. I am not saying it didn’t happen but the way this is playing out is, to say the least, “interesting.”

0 votes
Reply

Jason N

How do you go from “found a database of compromised data” to such a very specific set of information about the group, including number of, and ages of, it’s members…in central Russia? That’s some pretty good sleuthing. How’d he manage that?

0 votes

Ryan D

Well – that’s a good point Jason. And I found it disconcerting that at the end of the article Holden openly admits to being in direct communication with the group. I suppose that’s to “covertly” gain insight into its activities, but you have to wonder what the exact details are about the arrangement.

0 votes
Reply

1-on-1

The US national security state, the most vicious gang in existence, already has all of my personal data, so I quit worrying about protecting it long ago. It takes me a few seconds a day to dump spam, so, with the help of a keeping a few different email addresses going for different uses, I quit worrying about spam. I follow the best advice I can find about password management, check my accounts often, and take the risk of using credit cards and banking online. Am I missing anything?

0 votes

Ryan D

I guess the issue in this case, if the danger is real, is that it doesn’t matter if users follow the best advice for password management, because the sites we trust to protect those credentials have been hacked, and your credentials basically compromised despite your best efforts.

0 votes

Mike Smith

Good for you!

0 votes
Reply

Roberto Roberts

I added a single quote to the end of
http://www.makeuseof.com/tag/russian-hacking-gang-captures-credentials/
and discovered it isn’t immune to SQL attacks.

Makes me question this entire article.

0 votes

Ryan D

Roberto – you don’t get an SQL error as described, you get a 404 not found, because you’re not putting the quote at the end of a URL structured as described (with a “?”)

0 votes
Reply

Robert Doucette

I just spend a few minutes trying to log on to several web sites for investment firms, credit card, other financial firms, newspapers, Facebook, etc. Plus some tiny, little sites. I put a single quote mark ( ‘ ) at the end of every URL, NONE of them loaded but NONE of them came back with a SQL error.

Is there something I don’t understand? Is every site infected or none?

0 votes

Ryan D

Robert – during my tests I found the same. Given that most companies are pretty diligent about closing up security vulnerabilities pretty fast (SQL injection already high on the list of issues they look at), I think most major firms have a good handle on this. The danger of course is that it could be a single page on the site that has the vulnerability – so while checking a few sites for the vulnerability and finding none is a very good sign, there’s always a possibility one page has a bug and is vulnerable. Sounds like you’re in good shape though.

0 votes
Reply

C Beck

Is this an advertisement for Holden? Are there other internet security companies who can help with this problem? This article seems slightly suspicious in that it obviously is trying to direct the reader to the Holden company.

0 votes

Ryan D

Do you mean this one or the NY Times? In this one, my goal was actually to point out how Holden is trying to capitalize on the situation — without doing it in an overtly biased way. And then provided an alternative for folks wanting to protect themselves without having to pay up to Holden (I’m certainly not).

0 votes
Reply

Donald Klein

The skeptics, disbelievers, and conspiracy theorists seem to be in rare form today. I for one will just change my passwords with the banks/brokers I deal with. If you use PayPal don’t forget them. I don’t allow my CC info to be stored at any web site, so I won’t worry about sites I have purchased from. I will also use this opportunity to get a new CC account number from my bank. These are things I do on a regular basis anyway as a matter of prudence.
I will let others worry whether or not it’s a scam perpetrated by Holden Security or others, nor will I waste a minute trying to duplicate the SQL hack to see if it’s all true.

0 votes

dragonmouth

“I don’t allow my CC info to be stored at any web site”
And how do you do that? Once you provide a site with data, they store it whether you want them to or not.

0 votes

Donald Klein

I use PayPal to purchase from individual web sites. PayPal keeps my card and personal information anonymous therefore shielding from the selling web site.

2 votes
Reply

Phil Davis

All the media has been duped by Hold Security.

First the numbers are aggregate estimates of hacking and breeches dating back some indeterminate amount of time. No full disclosure, a sure sign of a hyperbole.

Second, Hold Security wants to capitalize on the victims vulnerability by charging them $120 a year for some nebulous benefits?

The real numbers are about 500 million emails, even fewer real people and Hold Security could benefit far out of proportion to the real problem. If even 1% of the supposed 500 million victims cave in and buy Hold’s service we’re talking $600 Million in revenue (500 million X $120 X 1%) for Hold Security PER YEAR. Perhaps scare tactics will sell well for them.

The supposed Russian hacker crew only wishes they could make as much money from their evil deeds as Hold Security is trying to make off this hype. My guess is that the Russians will do the same thing for you (delist you) and offer you Mafia style “Protection” for less money.

It is absurd and outrageous is all I can say.

Phil

0 votes

Ryan D

Well laid out Phil – I’m pretty much of the same mind.

1 votes
Reply

Sable Jove

Great graphic! The hooded figures, binary, and Russian flag really captures the essence of the article. Would appreciate your crediting the artist / providing contact details

0 votes

Ryan D

Thanks Sable. The artist who created the hooded figures, etc, was our very own Bohed who does many of our feature images on the site. He works for MUO.

0 votes
Reply

Deirdra M

One guy from nowhere knows everything, can’t release all the info? Makes zero indication on how he learned this or how he obtained the output of 420,000 website’s U/P data

Refuses to indicate any of the sites compromised so that users can change their passwords as “there is an ongoing investigation”

oooh, I smell skunk!

1 votes

Ryan D

Yup – a reputable firm would immediately provide a list of compromised websites and free assistance to all Internet users as an effort to protect the entire Internet from the threat. Withholding the information and trying to offer paid services to people to protect themselves only serves to prolong the danger and spread the threat (because of all the people not willing to, or not being able to afford, to pay). Very unfortunate approach, to be sure.

0 votes
Reply

Michael O

I also tried appending the ‘ to sample. database URLs at two of my financial institutions, but got a different result on each. For one, the page loaded fine. For the other, a new page came up saying I had been logged out. Very convincing security!

0 votes
Reply

Zero

So the good old SQL injection still works,,, after all these years?

0 votes

Ryan D

On many sites, apparently it does! I’d be very surprised to find a larger mainstream corporation having a page vulnerable to SQL injection, but I guess anything is possible. Smaller sites, definitely more believable.

0 votes
Reply

Sharon

All secure sites should have an extra layer of protection — such as those robot prevention methods where you have to include additional words/numbers (aside from username and password) that change each time you log in. My bank, HSBC, has gone a step further. They’re actually sending their internet bankers a device that generates a different random number each time one logs in. Without that random number, you’re not getting in!

0 votes

Ryan D

Yes – hardware keys. I’m surprised that they are willing to invest the resources into getting one for every single banking member – that’s impressive!

0 votes
Reply

michael clyde

What’s impressive is thinking that service is offered at no charge, whether hidden or not. Just like people that do not realize that there is absolutely NO financial incentive for the original lending institution to refinance your home loan until they string you along long enough that you default. Those groups think Star Trek was regularly filmed on “remote location”
PayPal had free keys some years ago (not sure about now) but they proved less than reliable for some.

0 votes
Reply

michael clyde

… by the way, thanks Ryan

0 votes
Reply

nevergonnahappen

This is even more revealing. From their website and referring to their new identity monitoring service:
“…Once you register and complete a simple verification process, you will be able to check if your credentials have been found in CyberVor’s possession. We anticipate an overwhelming volume of requests, but please be patient and we will try to help you! We have developed a secure methodology for you to share with us a very strong (SHA512) cryptographic representation of your passwords for verification.”

So they want me to send them my passwords? Right!

0 votes

Ryan D

That’s what it sounds like. The only folks I send my passwords to are the IT staff at my own company, of the individual online companies that I have the passwords through privately. Yeah – I’d never provide my passwords to a 3rd party entity like that either….crazy.

0 votes
Reply

Timo Jensen

I checked to email accounts on hold securitys service. One is compromised, the other isnt. Free service. I tried to test passwords too (harmless email with no financial complications). Hold verified that one of four passwords are compromised. So now i have three places to correct password. Easy, and simple. I dont see why Hold Security shouldnt be ligit. And its free to check.

0 votes

Ryan D

Interesting – thanks for sharing your findings Timo.

I couldn’t find any free option to check at the Hold Security website – can you provide a link to the free service?

Your comment