You are here

Russian Hackers Steal 1.2 Billion Usernames and Passwords


By Joe Benson

Generally I try to vary newsletter article topics. You may recall last month I talked about Chinese hackers penetrating Office of Personnel Management (OPM) databases which contain files on all federal employees, including thousands who have applied for new or updated security clearances.

Unfortunately, another successful cyber-attack has been reported that has specific relevance to each of you. This time the compromise involves usernames and passwords.

Research specialist Hold Security, a Milwaukee firm which specializes in uncovering data breaches like this, reported
that a Russian hacker group was responsible for the theft and compromise of 1.2 billion password and username combinations and more than 500 million email addresses. The stolen information was collected and consolidated from 420,000 websites ranging from Fortune 500 companies and small businesses, to international and U.S.-based firms.

Because of nondisclosure agreements and a reluctance to identify companies still at risk, Hold Security is not currently providing
a lot of detail on specific attack vectors used. However, they did reveal that there was no obvious pattern to the sites that were attacked. Instead of hacking select businesses that might be considered high value targets, the methodology seemed to focus on targeting individuals.

The hackers would get into an organization and obtain email, username, and password combinations specific to an individual. Once hackers found an individual to victimize, the group tracked down their internet history and targeted every website he or she logged into. The tragedy, beauty, and simplicity of this technique is immense. So many men and women use one or only a few subtle variations of one username/password combination for the majority of sites that require controlled access.

This is yet another real-world example of the importance of password security. Anglicotech Security highly recommends changing passwords to websites that hold sensitive information, such as bank account information and health records. Make the passwords different for each site so you will be able to compartmentalize the impact; preventing hackers from gaining access to all your information through one account.

Content for this article was compiled and abridged from multiple web sources.