Russian Gang Said to Steal 1.2 Billion Internet Credentials
A Russian crime ring has reportedly compromised 1.2 billion username and password combinations and more than 500 million unique email addresses, which is believed to be the largest known collection of Internet identity theft.
Citing researchers from Hold Security, a report by the New York Times revealed that Internet credentials were stolen from 420,000 websites, ranging from household names to small Internet sites.
“Hackers did not just target U.S. companies, they targeted any website they could get, ranging from Fortune 500 companies to very small websites,” Alex Holden, the Hold Security founder and chief information security officer, told the Times. “And most of these sites are still vulnerable.”
Even the websites inside Russia had been hacked, and the Russian government seems to have no involvement in the hacking incident, said Holden.
Hold Security has been monitoring this particular group for some time. The group is said to be based in a small city in south central Russia, the region flanked by Kazakhstan and Mongolia. The hacking gang is comprised of fewer than a dozen men in their 20s, who are believed to have their computer servers in Russia.
“There is a division of labor within the gang,” said Holden. “Some are writing the programming, some are stealing the data. It’s like you would imagine a small company; everyone is trying to make a living.”
Russian hackers have been using botnets – a network of private computers infected with malicious software – to steal credentials on a mass scale. When an infected user visits a website, which the botnet declares vulnerable to a well-known hacking technique known as a SQL injection, miscreants extract the full contents of the database.
Since most of the affected sites still remain vulnerable, as Holden said, the hackers continue to collect users’ credentials in the database. Holden said his firm had informed some big companies about the breach, but they couldn’t reach every website.
The stolen information like an email address, or Social Security number can be used for identity theft. Because people tend to use the same passwords across multiple web properties, hackers test personal credentials to collect sensitive information, like those of credit cards and brokerage firms.
Security researchers are of the view that companies that rely on usernames and passwords have to hurry up about changing this, and if they don’t, “criminals will just keep stockpiling people’s credentials,” said Avivah Litan, a security analyst at the research firm Gartner.