The personal details of hundreds of millions of people have been discovered for sale on the cyber black market, including one tranche of 105 million electronic records that represents one of the largest hacks ever recorded.
The data – which comprises individual records such as people's names, email addresses and largely unencrypted passwords – was discovered in the first three weeks of this month by US cyber research firm Hold Security.
The company announced on 25 February that it had found nearly 360 million sets of stolen and abused credentials and another 1.25 billion records containing only email addresses.
The firm is now de-duplicating the 360 million accounts against its existing database, but chief information security officer Alex Holden told SCMagazineUK.com that he expects the eventual tally will be around 300 million new stolen sets of credentials. This would bring the company's overall total to 520 to 560 million records collected over the last 10 months. Holden emphasised that these figures are an “educated guess”.
He estimated that just 10 percent of the passwords involved are encrypted or encoded, making the data much more vulnerable than that stolen last October from Adobe where the passwords were encrypted.
Holden said the email addresses involved are from major providers, primarily Yahoo, Hotmail, AOL and Gmail.
He told us the data had been obtained by Hold Security monitoring “resources” and hackers, many located in the former Soviet Union.
Holden said the firm does not yet know which company the 105 million records were stolen from, and believes the new data comes from multiple breaches that have not yet been reported.
“We don't know who the victims are. To find the victim and to notify them, this is a difficult task, it's a daunting task, it's not a pleasant task and it's an expensive task. We try and notify as many victims as we feasibly can.”
Holden added: “The key here is that it's massive. The fact that there are credentials out there should not be surprising to anybody - however the indication is that this has reached a huge scope, the indication is that the database is the size of a large country - 1.25 billion email addresses is enough to spam China.”
Asked if he knew what criminals are doing with the data, Holden said: “The hackers are using this for spam – which is a good thing, we have spam filters, we have defences against spam. But when hackers try to use this huge chain of keys against every lock that they have, they are very likely to have a large amount of success.
“If you had a key set of 100 million email addresses and you're going to go to a large provider; if the large provider allows retrying these credentials over and over, they're going to have a high degree of success. Even 0.1 per cent success would yield them 100,000 accounts which is a huge breach.”
The scale of the find has surprised industry watchers. Professor John Walker, a director of Integral Security Xssurance, said: “If there was an Olympics in data breaches this one would take the gold medal.”
Walker said the discovery indicates major failings on the part of those responsible for cyber security. He told SCMagazineUK.com via email: “This is an example of the amount of data that has been lost, breached, stolen that's floating round in the public arena - which is only coming to light when somebody in the criminal world publishes it. And it is demonstrating a clear gross failing on the part of those upon whom it is incumbent to protect our security.
“The fundamental challenge is that with data breach notifications, companies are not doing the right thing. I know from inside of organisations that have lost data and simply haven't reported it.”
Andy Heather, VP for EMEA at Voltage Security, said organisations need a new security approach in response. He told SCMagazineUK.com: “Traditional security approaches continue to fail to protect the real assets - which is the sensitive data. Only a data-centric approach, which neutralises the data and makes it valueless to the hackers, can ensure that when these inevitable breaches occur the data remains safe and secure.
“The fact that this involved account information and not just credit card numbers highlights that the criminals will take the path of least resistance to compromise consumers' credit card details and bank accounts. Companies must use strong encryption to protect all personally identifiable information, especially if it can be used to gain access to consumers' hard-earned money.”
Walker added: “I think it's clear that the protection - be it onsite, on servers or the way companies handle data internally and the mobile aspect of data – one or all of those factors must be flawed because this stuff is escaping. It's still the case that organisations are not taking security seriously. People need to start to think security, rather than react to the circumstance of a breach. We have to think before it happens not after the horse has bolted.”