Hold Security researchers are reporting that a cybercrime gang based in Russia has collected 1.2 billion user names and passwords and over 500 email addresses stolen from more than 4.5 billion user records at over 400,000 websites and FTP sites worldwide.
The researchers are calling the gang CyberVor.
In a recent blog post, Hold Security explained that the CyberVors purchased access to botnets on the black market, which they leveraged to identify SQL vulnerabilities on websites visited by infected computers. “The botnet conducted possibly the largest security audit ever,” the researchers wrote. “Over 400,000 sites were identified to be potentially vulnerable to SQL injection flaws alone. The CyberVors used these vulnerabilities to steal data from these sites’ databases.”
Hold Security founder Alex Holden told the New York Times that the group targeted websites across the globe, from Fortune 500 companies to tiny sites. “And most of these sites are still vulnerable,” he said.
At this point, the stolen data isn’t being sold online — the CyberVors appear to be using the credentials to send spam on social networks for a fee.
The group apparently includes fewer than a dozen men in their 20s. “There is a division of labor within the gang,” Holden told the Times. “Some are writing the programming, some are stealing the data. It’s like you would imagine a small company; everyone is trying to make a living.”
Solutionary senior security strategist Jon Heimerl said by email that the CyberVors provide an excellent example of how hackers are working together and pooling resources to maximize their impact. “The data was not all gathered from the same group or via the same methods, but by repeated attempts to infiltrate systems in a systematic manner — scan, check, repeat,” he said. “The data was ultimately the result of hundreds, and thousands of attacks spread across years.”
And ThreatStream CTO Greg Martin said by email that the breach clearly demonstrates how dangerous it is to use the same passwords on different websites. “Bad habits are hard to break, and enterprises need to protect their end consumer by forcing them to change their behavior,” he said. “Enterprises offering multi-factor authentication and enforcing password policies help make access to customer information more difficult to obtain, which makes your customer less attractive to bad actors.”
In the meantime, SilverSky security architect Joshua Roback suggested several ways to improve password security. “Utilizing a password management system like LastPass or 1Password is a good option, but I personally don’t like the idea of storing my password in a central location,” he said. “I rely on my own system including a common string with all the standard password requirements (upper case, numbers, special character, etc.) along with some letters from the Web service name sprinkled in. An example for Google with a common string of d0nt!H4ckM3 would be good0nt!H4ckM3oog.”
This is just one of several major breaches that Hold Security researchers have recently uncovered — in January of 2014, Hold Security discovered that a Russian hacker had compromised an FTP server at the BBC, and a month later, the company warned that hackers had compromised more than 7,000 FTP sites in order to distribute malware.