Russian Hacking Ring Steals More Than a Billion Passwords
Blink, and there's another headline about yet another data breach. First, it was Target. Then, in quick succession, Neiman Marcus and Michaels announced data breaches of their own. More recently – just this past Monday, in fact -- P.F. Chang's said that customers' credit-card information at 33 of its locations had been compromised.
Back in January, the U.S. Federal Bureau of Investigation warned retailers to expect more attacks.
They weren't joking. Turns out, the rash of reported attacks represents just a small fraction of the personal data already stolen by hackers.
Beginning in earnest this April, a Russian crime ring has collected the largest known stockpile of stolen online credentials, making off with 1.2 billion user name and password combinations and more than 500 million email addresses, The New York Times reported.
This wide-scale hack job, which was brought to light by the cybersecurity firm Holden Security, targeted over 420,000 websites ranging from big-name companies to smaller websites, the firm wrote in a blog post.
“Hackers did not just target U.S. companies, they targeted any website they could get, ranging from Fortune 500 companies to very small websites,” Alex Holden, the founder and chief information security officer of Hold Security, told the Times. “And most of these sites are still vulnerable.” In part for this reason, the firm has declined to identify a list of victims.
All of this havoc was can be traced back to less than a dozen men in their 20s living in a small city in south central Russia, the Times reported. For now, it appears these guys are primarily using the stolen data to spam Twitter for other groups, charging a fee for the service.
This, the Times noted, isn't the best business strategy: "Selling more of the records on the black market would be lucrative."
Because people tend to use the same password for multiple sites, a single password, along with other stolen credentials, can be very valuable. Let's say a thief gains access to your password for a retail site; he or she can then test it to try and access your bank account. (In other words, if your password for multiple sites – scratch that, any site – is "12345," please change it now).
This, of course, will not be the last time a massive security breach makes headlines. Do yourself a favor, then, and beef up your password security before the next attack is unearthed.
For reprints and licensing questions, click here.