What do you get when you cross a dozen Russian criminal hackers with 420,000 websites with an SQL injection vulnerability? You get 4.5 billion compromised user records in the hands of those hackers.
On Tuesday, the New York Times reported that Hold Security of Milwaukee, Wisconsin discovered a database filled with stolen credentials. Alex Holden, chief information security officer of Hold Security tracked down the source of the stolen credentials to a small hacking ring of just under a dozen 20-something year old men, based out of south central Russia. He dubbed the group “CyberVor”.
Holden explained that the “hacking gang” consisted of a team of young men, each with his own role – some writing programs, others working to extract the credentials from the data. The entire outfit operates like an actual business.
The Russian Hacking Gang
According to Holden, CyberVor got started in 2011 as a team of spammers. The business plan then was to purchase stolen contact information off the black market in order to sent out mass spam emails for clients. Over the next few years, the team of criminal entrepreneurs built up a bot-net – a massive network of computers infected with a virus that allows them to be utilized for sending out the spam blasts.
Over time, the team utilized its bot-net to test for which websites were vulnerable to an SQL injection hacking attack. Once a list of websites were compiled, the team then set to work running the hack on the site and extracting the full contents of the database stored there.
With access to the database, the group was able to compile the 4.5 billion records, which turned out to contain a grand total of 1.2 billion unique user name and password credentials, and 542 million unique email addresses.
What This Means
If you think that you could go unscathed from this particular security threat, think again. Considering that there are currently just under 3 billion Internet users in the world, a breach of 1.2 billion unique username and password credentials represents a record-breaking success on the part of the criminal hackers, and it also means that your credentials are very likely at risk.
Orla Cox, the Director of Security Response for Symantec told NPR news that the safest approach to this is to assume that your credentials are compromised.
“I think all Internet users should assume they’ve been impacted by this. Clearly these aren’t opportunists, they aren’t hobbyists. These are full time cyber-criminals they have been likely carrying this out for a number of months, maybe even years.”
How do you know if any of your credentials have been affected? Unfortunately, you don’t – not until Hold Security publishes its online tool that will allow you to test whether your own information is in the database.
Meanwhile, Hold Security is capitalizing on the breach by building a suite of services intended to help website owners and Internet users manage the threat from this hacker gang. Those services include the following:
- Breach Notification Service (BNS) – Alerts you if your site has been impacted by this breach or any other security breach. Cost: $120/year
- Pen Testing and Audit Services – Will audit your site and find any vulnerabilities. No price listed.
- Credentials Integrity Service – Notifies you if any of your website users have had credentials compromised. No price listed.
- Electronic Identity Monitoring Service – Meant for individuals who want to know if their electronic identity is vulnerable or compromised. Pre-registration is available, as the service is under development.
What You Should Do
Of course, the cheapest approach to writing a check to Hold Security to tell you if you’ve been affected, is to simply change all of your passwords. While this may be annoying to do, so close on the heels of the Heartbleed fiasco just a few months ago, it’s really the only sure bet you have to secure your accounts. The problem of course, is that you can’t really do that until you know the websites you use are not vulnerable to SQL Injection.
If you want to determine whether the websites you use to access your accounts are safe or not, then you’ll need a way to know if they are safe from SQL Injection attacks – the weapon of choice for this particular Russian hacker gang.
Thankfully, it’s pretty easy to check if a site is vulnerable to that particular hack. All you need to do is find a page on the site that loads dynamically from the backend database. This is pretty easy with a PHP-based site by looking for URL’s structured with the query, like this: “http://www.website.com/page.php?id=32”
A quick test for SQL Injection vulnerability is appending a single quote at the very end of the line. If the web page still loads fine, then the site is secure from this attack. If it returns an “SQL query failed” error, then the site is vulnerable, and you should assume that your data that’s stored there has been compromised.
By appending a ‘ to the URL, you’re testing whether you could add additional SQL parameters to trigger a more invasive SQL command.
If you discover the website is safe, then go ahead and change your passwords there. If you see that it is still vulnerable to an SQL Injection attack, then avoid changing your credentials, and instead contact the website owner and inform them of the vulnerability.
While You’re At It…
While you’re going around and changing your passwords on all of the secured sites, consider the following guidelines.
- Is your password truly unique and strong? Make sure to check out our many articles with password generation tips.
- Use a Password Manager and make sure your password is different for every single site you use. Try using a password generator for each site.
- I repeat: Use a unique password for every site!
Beyond password management, there’s another creative approach that lets you actually “get back” at the hackers. This involves making sure that all of your online accounts contain false information — bogus addresses, phone numbers and email addresses. This way, whenever this kind of breach happens, you can just laugh it off, because all of the personal contact info – especially the email which is usually stripped out for spamming purposes – is a complete dud to the hacker.
Obviously, that approach wouldn’t work for a financial site that usually requires confirmed identification, but one would hope that financial websites are far enough ahead of the security curve to be more than safe from something like an SQL Injection hack.
In light of the size and scope of this latest attack, are you concerned about your private information? Do you have any plans to deal with it? Share your thoughts in the comments section below!