Russian Hacking Gang Captures 1.2 Billion Credentials: What You Should Do

Ads by Google

What do you get when you cross a dozen Russian criminal hackers with 420,000 websites with an SQL injection vulnerability? You get 4.5 billion compromised user records in the hands of those hackers.

On Tuesday, the New York Times reported that Hold Security of Milwaukee, Wisconsin discovered a database filled with stolen credentials. Alex Holden, chief information security officer of Hold Security tracked down the source of the stolen credentials to a small hacking ring of just under a dozen 20-something year old men, based out of south central Russia. He dubbed the group “CyberVor”.

Holden explained that the “hacking gang” consisted of a team of young men, each with his own role – some writing programs, others working to extract the credentials from the data. The entire outfit operates like an actual business.

The Russian Hacking Gang

According to Holden, CyberVor got started in 2011 as a team of spammers. The business plan then was to purchase stolen contact information off the black market in order to sent out mass spam emails for clients. Over the next few years, the team of criminal entrepreneurs built up a bot-net – a massive network of computers infected with a virus that allows them to be utilized for sending out the spam blasts.

bot-net1

Over time, the team utilized its bot-net to test for which websites were vulnerable to an SQL injection hacking attack. Once a list of websites were compiled, the team then set to work running the hack on the site and extracting the full contents of the database stored there.

With access to the database, the group was able to compile the 4.5 billion records, which turned out to contain a grand total of 1.2 billion unique user name and password credentials, and 542 million unique email addresses.

Ads by Google

What This Means

If you think that you could go unscathed from this particular security threat, think again. Considering that there are currently just under 3 billion Internet users in the world, a breach of 1.2 billion unique username and password credentials represents a record-breaking success on the part of the criminal hackers, and it also means that your credentials are very likely at risk.

Orla Cox, the Director of Security Response for Symantec told NPR news that the safest approach to this is to assume that your credentials are compromised.

“I think all Internet users should assume they’ve been impacted by this. Clearly these aren’t opportunists, they aren’t hobbyists. These are full time cyber-criminals they have been likely carrying this out for a number of months, maybe even years.”

How do you know if any of your credentials have been affected? Unfortunately, you don’t – not until Hold Security publishes its online tool that will allow you to test whether your own information is in the database.

Meanwhile, Hold Security is capitalizing on the breach by building a suite of services intended to help website owners and Internet users manage the threat from this hacker gang. Those services include the following:

  • Breach Notification Service (BNS) – Alerts you if your site has been impacted by this breach or any other security breach. Cost: $120/year
  • Pen Testing and Audit Services – Will audit your site and find any vulnerabilities. No price listed.
  • Credentials Integrity Service – Notifies you if any of your website users have had credentials compromised. No price listed.
  • Electronic Identity Monitoring Service – Meant for individuals who want to know if their electronic identity is vulnerable or compromised. Pre-registration is available, as the service is under development.

What You Should Do

Of course, the cheapest approach to writing a check to Hold Security to tell you if you’ve been affected, is to simply change all of your passwords. While this may be annoying to do, so close on the heels of the Heartbleed fiasco just a few months ago, it’s really the only sure bet you have to secure your accounts. The problem of course, is that you can’t really do that until you know the websites you use are not vulnerable to SQL Injection.

bot-net2

If you want to determine whether the websites you use to access your accounts are safe or not, then you’ll need a way to know if they are safe from SQL Injection attacks – the weapon of choice for this particular Russian hacker gang.

Thankfully, it’s pretty easy to check if a site is vulnerable to that particular hack.  All you need to do is find a page on the site that loads dynamically from the backend database. This is pretty easy with a PHP-based site by looking for URL’s structured with the query, like this: “http://www.website.com/page.php?id=32″

A quick test for SQL Injection vulnerability is appending a single quote at the very end of the line. If the web page still loads fine, then the site is secure from this attack. If it returns an “SQL query failed” error, then the site is vulnerable, and you should assume that your data that’s stored there has been compromised.

By appending a to the URL, you’re testing whether you could add additional SQL parameters to trigger a more invasive SQL command.

If you discover the website is safe, then go ahead and change your passwords there. If you see that it is still vulnerable to an SQL Injection attack, then avoid changing your credentials, and instead contact the website owner and inform them of the vulnerability.

While You’re At It…

While you’re going around and changing your passwords on all of the secured sites, consider the following guidelines.

  • Is your password truly unique and strong? Make sure to check out our many articles with password generation tips.
  • Use a Password Manager and make sure your password is different for every single site you use. Try using a password generator for each site.
  • I repeat: Use a unique password for every site!

Beyond password management, there’s another creative approach that lets you actually “get back” at the hackers. This involves making sure that all of your online accounts contain false information — bogus addresses, phone numbers and email addresses. This way, whenever this kind of breach happens, you can just laugh it off, because all of the personal contact info – especially the email which is usually stripped out for spamming purposes – is a complete dud to the hacker.

Obviously, that approach wouldn’t work for a financial site that usually requires confirmed identification, but one would hope that financial websites are far enough ahead of the security curve to be more than safe from something like an SQL Injection hack.

In light of the size and scope of this latest attack, are you concerned about your private information? Do you have any plans to deal with it? Share your thoughts in the comments section below!

Source:New York Times
Image Credits: Invisible man Via Shutterstock, kentoh / Shutterstock

Join live MakeUseOf Groups on Grouvi App Join live Groups on Grouvi
Best Anonymity Tools
Best Anonymity Tools
34 Members
Online Security Tips
Online Security Tips
22 Members
New Security Breaches
New Security Breaches
9 Members
Windows Firewalls & Antivirus
Windows Firewalls & Antivirus
11 Members
Tips for Privacy Obsessed
Tips for Privacy Obsessed
24 Members
Ads by Google
Comments (41)
  • Anonymous

    Thnx lisa for the reference, I took your advice, hired him and he did the job for me. contact him at prohacx @outlook dot com

  • Lisa Andersen

    Thank you Sam, I thought it was impossible to hack into Facebook till I contacted you. After being scammed countless times, I was reluctant to give it a trial, I paid and the job was swiftly done. I am indebted to you Sam, anyone need a hacker for hire? prohacx(at)outlook dot com is who you should contact

  • Wise Geek

    Do you want to hack a college degree of any university,

    do you intend to upgrade your score, do you need that

    information concerning any database, do you need bank

    details, credit card details, SSN, hack into your

    cheating spouse’s phone to get any info you want? add me

    on Y! messenger @ wisegeek2001

  • Timo Jensen

    I checked to email accounts on hold securitys service. One is compromised, the other isnt. Free service. I tried to test passwords too (harmless email with no financial complications). Hold verified that one of four passwords are compromised. So now i have three places to correct password. Easy, and simple. I dont see why Hold Security shouldnt be ligit. And its free to check.

    • Ryan D

      Interesting – thanks for sharing your findings Timo.

      I couldn’t find any free option to check at the Hold Security website – can you provide a link to the free service?

  • nevergonnahappen

    This is even more revealing. From their website and referring to their new identity monitoring service:
    “…Once you register and complete a simple verification process, you will be able to check if your credentials have been found in CyberVor’s possession. We anticipate an overwhelming volume of requests, but please be patient and we will try to help you! We have developed a secure methodology for you to share with us a very strong (SHA512) cryptographic representation of your passwords for verification.”

    So they want me to send them my passwords? Right!

    • Ryan D

      That’s what it sounds like. The only folks I send my passwords to are the IT staff at my own company, of the individual online companies that I have the passwords through privately. Yeah – I’d never provide my passwords to a 3rd party entity like that either….crazy.

Load 10 more
Affiliate Disclamer

This review may contain affiliate links, which pays us a small compensation if you do decide to make a purchase based on our recommendation. Our judgement is in no way biased, and our recommendations are always based on the merits of the items.

For more details, please read our disclosure.
Affiliate Disclamer

This review may contain affiliate links, which pays us a small compensation if you do decide to make a purchase based on our recommendation. Our judgement is in no way biased, and our recommendations are always based on the merits of the items.

For more details, please read our disclosure.