Russian Hacking Gang Captures 1.2 Billion Credentials: What You Should Do

Ryan Dube 07-08-2014

What do you get when you cross a dozen Russian criminal hackers with 420,000 websites with an SQL injection vulnerability? You get 4.5 billion compromised user records in the hands of those hackers.


On Tuesday, the New York Times reported that Hold Security of Milwaukee, Wisconsin discovered a database filled with stolen credentials. Alex Holden, chief information security officer of Hold Security tracked down the source of the stolen credentials to a small hacking ring of just under a dozen 20-something year old men, based out of south central Russia. He dubbed the group “CyberVor”.

Holden explained that the “hacking gang” consisted of a team of young men, each with his own role – some writing programs, others working to extract the credentials from the data. The entire outfit operates like an actual business.

The Russian Hacking Gang

According to Holden, CyberVor got started in 2011 as a team of spammers. The business plan then was to purchase stolen contact information off the black market in order to sent out mass spam emails for clients. Over the next few years, the team of criminal entrepreneurs built up a bot-net – a massive network of computers infected with a virus that allows them to be utilized for sending out the spam blasts.


Over time, the team utilized its bot-net to test for which websites were vulnerable to an SQL injection hacking attack. Once a list of websites were compiled, the team then set to work running the hack on the site and extracting the full contents of the database stored there.


With access to the database, the group was able to compile the 4.5 billion records, which turned out to contain a grand total of 1.2 billion unique user name and password credentials, and 542 million unique email addresses.

What This Means

If you think that you could go unscathed from this particular security threat, think again. Considering that there are currently just under 3 billion Internet users in the world, a breach of 1.2 billion unique username and password credentials represents a record-breaking success on the part of the criminal hackers, and it also means that your credentials are very likely at risk.

Orla Cox, the Director of Security Response for Symantec told NPR news that the safest approach to this is to assume that your credentials are compromised.

“I think all Internet users should assume they’ve been impacted by this. Clearly these aren’t opportunists, they aren’t hobbyists. These are full time cyber-criminals they have been likely carrying this out for a number of months, maybe even years.”

How do you know if any of your credentials have been affected? Unfortunately, you don’t – not until Hold Security publishes its online tool that will allow you to test whether your own information is in the database.


Meanwhile, Hold Security is capitalizing on the breach by building a suite of services intended to help website owners and Internet users manage the threat from this hacker gang. Those services include the following:

  • Breach Notification Service (BNS) – Alerts you if your site has been impacted by this breach or any other security breach. Cost: $120/year
  • Pen Testing and Audit Services – Will audit your site and find any vulnerabilities. No price listed.
  • Credentials Integrity Service – Notifies you if any of your website users have had credentials compromised. No price listed.
  • Electronic Identity Monitoring Service – Meant for individuals who want to know if their electronic identity is vulnerable or compromised. Pre-registration is available, as the service is under development.

What You Should Do

Of course, the cheapest approach to writing a check to Hold Security to tell you if you’ve been affected, is to simply change all of your passwords. While this may be annoying to do, so close on the heels of the Heartbleed fiasco just a few months ago Heartbleed – What Can You Do To Stay Safe? Read More , it’s really the only sure bet you have to secure your accounts. The problem of course, is that you can’t really do that until you know the websites you use are not vulnerable to SQL Injection.


If you want to determine whether the websites you use to access your accounts are safe or not, then you’ll need a way to know if they are safe from SQL Injection attacks – the weapon of choice for this particular Russian hacker gang.


Thankfully, it’s pretty easy to check if a site is vulnerable to that particular hack.  All you need to do is find a page on the site that loads dynamically from the backend database. This is pretty easy with a PHP-based site by looking for URL’s structured with the query, like this: “”

A quick test for SQL Injection vulnerability is appending a single quote at the very end of the line. If the web page still loads fine, then the site is secure from this attack. If it returns an “SQL query failed” error, then the site is vulnerable, and you should assume that your data that’s stored there has been compromised.

By appending a to the URL, you’re testing whether you could add additional SQL parameters to trigger a more invasive SQL command.

If you discover the website is safe, then go ahead and change your passwords there. If you see that it is still vulnerable to an SQL Injection attack, then avoid changing your credentials, and instead contact the website owner and inform them of the vulnerability.


While You’re At It…

While you’re going around and changing your passwords on all of the secured sites, consider the following guidelines.

Beyond password management, there’s another creative approach that lets you actually “get back” at the hackers. This involves making sure that all of your online accounts contain false information — bogus addresses, phone numbers and email addresses. This way, whenever this kind of breach happens, you can just laugh it off, because all of the personal contact info – especially the email which is usually stripped out for spamming purposes – is a complete dud to the hacker.

Obviously, that approach wouldn’t work for a financial site that usually requires confirmed identification, but one would hope that financial websites are far enough ahead of the security curve to be more than safe from something like an SQL Injection hack.

In light of the size and scope of this latest attack, are you concerned about your private information? Do you have any plans to deal with it? Share your thoughts in the comments section below!

Source: New York Times
Image Credits: Invisible man Via Shutterstock, kentoh / Shutterstock

Related topics: Hacking, Online Security.

Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.

Whatsapp Pinterest

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. Anonymous
    August 5, 2016 at 12:16 pm

    ...IF YOU NEED A PROFESSIONAL HACKING SERVICE GO TO prohackspace . com a site i discovered 3months ago after i had already wasted my time with some hackers that cant do anything, the hackers on prohackspace are legit and even affordable they helped me with my divorce and i promise to save others from getting into the hands of fake hackers, for any hacking service you need go to the site or mail them via info @ prohackspace . com

  2. Anonymous
    March 12, 2015 at 3:00 pm

    Thnx lisa for the reference, I took your advice, hired him and he did the job for me. contact him at prohacx @outlook dot com

  3. Lisa Andersen
    March 9, 2015 at 12:32 am

    Thank you Sam, I thought it was impossible to hack into Facebook till I contacted you. After being scammed countless times, I was reluctant to give it a trial, I paid and the job was swiftly done. I am indebted to you Sam, anyone need a hacker for hire? prohacx(at)outlook dot com is who you should contact

  4. Wise Geek
    January 30, 2015 at 9:40 am

    Do you want to hack a college degree of any university,

    do you intend to upgrade your score, do you need that

    information concerning any database, do you need bank

    details, credit card details, SSN, hack into your

    cheating spouse's phone to get any info you want? add me

    on Y! messenger @ wisegeek2001

  5. Timo Jensen
    August 17, 2014 at 3:45 pm

    I checked to email accounts on hold securitys service. One is compromised, the other isnt. Free service. I tried to test passwords too (harmless email with no financial complications). Hold verified that one of four passwords are compromised. So now i have three places to correct password. Easy, and simple. I dont see why Hold Security shouldnt be ligit. And its free to check.

    • Ryan D
      August 17, 2014 at 5:14 pm

      Interesting - thanks for sharing your findings Timo.

      I couldn't find any free option to check at the Hold Security website - can you provide a link to the free service?

  6. nevergonnahappen
    August 12, 2014 at 3:26 pm

    This is even more revealing. From their website and referring to their new identity monitoring service:
    "...Once you register and complete a simple verification process, you will be able to check if your credentials have been found in CyberVor’s possession. We anticipate an overwhelming volume of requests, but please be patient and we will try to help you! We have developed a secure methodology for you to share with us a very strong (SHA512) cryptographic representation of your passwords for verification."

    So they want me to send them my passwords? Right!

    • Ryan D
      August 17, 2014 at 5:15 pm

      That's what it sounds like. The only folks I send my passwords to are the IT staff at my own company, of the individual online companies that I have the passwords through privately. Yeah - I'd never provide my passwords to a 3rd party entity like that either....crazy.

  7. michael clyde
    August 12, 2014 at 10:08 am

    ... by the way, thanks Ryan

  8. michael clyde
    August 12, 2014 at 9:59 am

    What's impressive is thinking that service is offered at no charge, whether hidden or not. Just like people that do not realize that there is absolutely NO financial incentive for the original lending institution to refinance your home loan until they string you along long enough that you default. Those groups think Star Trek was regularly filmed on "remote location"
    PayPal had free keys some years ago (not sure about now) but they proved less than reliable for some.

  9. Sharon
    August 11, 2014 at 1:42 pm

    All secure sites should have an extra layer of protection -- such as those robot prevention methods where you have to include additional words/numbers (aside from username and password) that change each time you log in. My bank, HSBC, has gone a step further. They're actually sending their internet bankers a device that generates a different random number each time one logs in. Without that random number, you're not getting in!

    • Ryan D
      August 11, 2014 at 6:56 pm

      Yes - hardware keys. I'm surprised that they are willing to invest the resources into getting one for every single banking member - that's impressive!

  10. Zero
    August 11, 2014 at 12:34 am

    So the good old SQL injection still works,,, after all these years?

    • Ryan D
      August 11, 2014 at 6:55 pm

      On many sites, apparently it does! I'd be very surprised to find a larger mainstream corporation having a page vulnerable to SQL injection, but I guess anything is possible. Smaller sites, definitely more believable.

  11. Michael O
    August 10, 2014 at 9:14 pm

    I also tried appending the ' to sample. database URLs at two of my financial institutions, but got a different result on each. For one, the page loaded fine. For the other, a new page came up saying I had been logged out. Very convincing security!

  12. Deirdra M
    August 8, 2014 at 9:18 pm

    One guy from nowhere knows everything, can't release all the info? Makes zero indication on how he learned this or how he obtained the output of 420,000 website’s U/P data

    Refuses to indicate any of the sites compromised so that users can change their passwords as “there is an ongoing investigation”

    oooh, I smell skunk!

    • Ryan D
      August 9, 2014 at 1:59 am

      Yup - a reputable firm would immediately provide a list of compromised websites and free assistance to all Internet users as an effort to protect the entire Internet from the threat. Withholding the information and trying to offer paid services to people to protect themselves only serves to prolong the danger and spread the threat (because of all the people not willing to, or not being able to afford, to pay). Very unfortunate approach, to be sure.

  13. Sable Jove
    August 8, 2014 at 7:41 pm

    Great graphic! The hooded figures, binary, and Russian flag really captures the essence of the article. Would appreciate your crediting the artist / providing contact details

    • Ryan D
      August 9, 2014 at 1:55 am

      Thanks Sable. The artist who created the hooded figures, etc, was our very own Bohed who does many of our feature images on the site. He works for MUO.

  14. Phil Davis
    August 8, 2014 at 7:39 pm

    All the media has been duped by Hold Security.

    First the numbers are aggregate estimates of hacking and breeches dating back some indeterminate amount of time. No full disclosure, a sure sign of a hyperbole.

    Second, Hold Security wants to capitalize on the victims vulnerability by charging them $120 a year for some nebulous benefits?

    The real numbers are about 500 million emails, even fewer real people and Hold Security could benefit far out of proportion to the real problem. If even 1% of the supposed 500 million victims cave in and buy Hold's service we're talking $600 Million in revenue (500 million X $120 X 1%) for Hold Security PER YEAR. Perhaps scare tactics will sell well for them.

    The supposed Russian hacker crew only wishes they could make as much money from their evil deeds as Hold Security is trying to make off this hype. My guess is that the Russians will do the same thing for you (delist you) and offer you Mafia style "Protection" for less money.

    It is absurd and outrageous is all I can say.


    • Ryan D
      August 9, 2014 at 1:54 am

      Well laid out Phil - I'm pretty much of the same mind.

  15. Donald Klein
    August 8, 2014 at 6:16 pm

    The skeptics, disbelievers, and conspiracy theorists seem to be in rare form today. I for one will just change my passwords with the banks/brokers I deal with. If you use PayPal don't forget them. I don't allow my CC info to be stored at any web site, so I won't worry about sites I have purchased from. I will also use this opportunity to get a new CC account number from my bank. These are things I do on a regular basis anyway as a matter of prudence.
    I will let others worry whether or not it's a scam perpetrated by Holden Security or others, nor will I waste a minute trying to duplicate the SQL hack to see if it's all true.

    • dragonmouth
      August 8, 2014 at 8:02 pm

      "I don’t allow my CC info to be stored at any web site"
      And how do you do that? Once you provide a site with data, they store it whether you want them to or not.

    • Donald Klein
      August 8, 2014 at 8:07 pm

      I use PayPal to purchase from individual web sites. PayPal keeps my card and personal information anonymous therefore shielding from the selling web site.

  16. C Beck
    August 8, 2014 at 6:15 pm

    Is this an advertisement for Holden? Are there other internet security companies who can help with this problem? This article seems slightly suspicious in that it obviously is trying to direct the reader to the Holden company.

    • Ryan D
      August 9, 2014 at 1:53 am

      Do you mean this one or the NY Times? In this one, my goal was actually to point out how Holden is trying to capitalize on the situation -- without doing it in an overtly biased way. And then provided an alternative for folks wanting to protect themselves without having to pay up to Holden (I'm certainly not).

  17. Robert Doucette
    August 8, 2014 at 5:25 pm

    I just spend a few minutes trying to log on to several web sites for investment firms, credit card, other financial firms, newspapers, Facebook, etc. Plus some tiny, little sites. I put a single quote mark ( ' ) at the end of every URL, NONE of them loaded but NONE of them came back with a SQL error.

    Is there something I don't understand? Is every site infected or none?

    • Ryan D
      August 9, 2014 at 1:51 am

      Robert - during my tests I found the same. Given that most companies are pretty diligent about closing up security vulnerabilities pretty fast (SQL injection already high on the list of issues they look at), I think most major firms have a good handle on this. The danger of course is that it could be a single page on the site that has the vulnerability - so while checking a few sites for the vulnerability and finding none is a very good sign, there's always a possibility one page has a bug and is vulnerable. Sounds like you're in good shape though.

  18. Roberto Roberts
    August 8, 2014 at 5:13 pm

    I added a single quote to the end of
    and discovered it isn't immune to SQL attacks.

    Makes me question this entire article.

    • Ryan D
      August 11, 2014 at 6:53 pm

      Roberto - you don't get an SQL error as described, you get a 404 not found, because you're not putting the quote at the end of a URL structured as described (with a "?")

  19. 1-on-1
    August 8, 2014 at 4:14 pm

    The US national security state, the most vicious gang in existence, already has all of my personal data, so I quit worrying about protecting it long ago. It takes me a few seconds a day to dump spam, so, with the help of a keeping a few different email addresses going for different uses, I quit worrying about spam. I follow the best advice I can find about password management, check my accounts often, and take the risk of using credit cards and banking online. Am I missing anything?

    • Ryan D
      August 9, 2014 at 1:48 am

      I guess the issue in this case, if the danger is real, is that it doesn't matter if users follow the best advice for password management, because the sites we trust to protect those credentials have been hacked, and your credentials basically compromised despite your best efforts.

    • Mike Smith
      August 10, 2014 at 12:05 am

      Good for you!

  20. Jason N
    August 8, 2014 at 3:17 pm

    How do you go from "found a database of compromised data" to such a very specific set of information about the group, including number of, and ages of, it's central Russia? That's some pretty good sleuthing. How'd he manage that?

    • Ryan D
      August 9, 2014 at 1:47 am

      Well - that's a good point Jason. And I found it disconcerting that at the end of the article Holden openly admits to being in direct communication with the group. I suppose that's to "covertly" gain insight into its activities, but you have to wonder what the exact details are about the arrangement.

  21. Ryan D
    August 7, 2014 at 9:32 pm

    That was my first thought when looking at Holden's comments and then spotting all those services he's peddling to "help" everyone (as revealed in this article). I agree with you both entirely.

    • Ishan
      August 8, 2014 at 5:07 am

      The original New York Times article does mentions that NY Times got the database verified by an independent expert. They also mention that Hold Security is the same company that reported data breach at Adobe. So, it does sounds legitimate.

    • dragonmouth
      August 8, 2014 at 12:25 pm

      "So, it does sounds legitimate."
      To be successful, a scam must sound legitimate.

      Usually when a new security threat or a breach has been discovered, there are reports from multiple security providers with names better known than Holden Security. When Target was breached or when Heartbleed was discovered, there were follow up stories almost daily for days. Since NYT reported this a few days ago, there has been no further news. With so many users and so many sites supposedly affected, I would have expected a media frenzy. Instead all we get is deafening silence. I am not saying it didn't happen but the way this is playing out is, to say the least, "interesting."

  22. Ronen
    August 7, 2014 at 9:01 pm

    My problem with this story is that out of the blue some obscure security expert, Alex Holden (Hold security), comes out with a story about an obscure team of hackers who stole over billion passwords from (again) obscure websites, and nobody stops and check the facts ? Sounds like a publicity stunt Mr. Holden is pulling, to get clients for his company.

  23. dragonmouth
    August 7, 2014 at 8:50 pm

    Has this been independently verified by anybody else or do we just have the word of Holden Security? It is interesting that only Holden can provide the answers and tools to take care of this problem. How do we know Holden is not running a scam just to drum up business? We have all heard about A/V scanners that find either non-existent viruses or viruses the scanner installed.

    • me
      August 8, 2014 at 9:28 pm

      the New York Times is pretty good at fact-checking their stories.

    • dragonmouth
      August 8, 2014 at 10:31 pm

      NYT does not strike me as an authority on computer security.

      By "independently verified" I mean Symantec, Sophos or some other computer security company.