Billion plus credentials hacked by Russian gang: industry reaction

News by Tony Morbin

US security firm Hold Security claims to have discovered the biggest ever hack, with 4.5 billion records stolen, but it also sought to charge hacked websites for confirmation of breach.

Once you get past the unprecedented numbers – the compromise of 4.5 billion records including 1.2 billion unique credentials and 500,000 email addresses, taken from more than 420,000 FTP/websites – the revelations by Hold Security of a data breach by a Russian gang dubbed CyberVor, appear to be an attack based on known vulnerabilities, but on an entirely new scale.

Much of the industry's reaction has focused on the renewed calls for an alternative to passwords, along with the whole issue of how such breaches are reported given Hold's failure to notify those breached, and its ‘novel' approach to monetising the discovery.

Hold's first inclination was to charge website owners to find out if their website was hacked, saying: “After we verify your identity and entitlements to the website(s) or domain(s), we can tell you if you have been impacted by this or other breaches.” 

According to the Wall Street Journal, the firm posted a message on its site saying it would charge US$ 120 (£71) a month for its breach notification service, but this was later replaced by a message saying "coming soon!"

For individuals, Hold says it will be providing full a electronic identity monitoring service within the next 60 days. The company statement adds: “Even if you are currently using another Identity Protection Service, your electronic identity may still be vulnerable. While we are getting our full service ready, we are inviting you to express your interest by pre-registering, free of charge and without any commitment.”

James Mullock, lawyer and partner at international law firm Osborne Clarke, noted in a public statement: “An interesting feature of the attack having been uncovered by an independent security firm is the unstructured process by which news of which businesses have been hacked reaches those organisations. There is currently little legislative guidance regulating how that process should operate and it appears ripe for review."

Vanja Svajcer, principal security researcher at Sophos, concurred, adding in an email to SC: “This is quite an unusual approach to remediating an alleged major credentials compromise. For a long time the security industry has freely shared information on breaches within its own community. Researchers discovering credentials breaches usually help end users either by making the information about compromised accounts public or by working with the company whose servers were compromised to inform all affected users.

"In this case, the credentials were harvested from thousands of servers and it would be difficult to work with every server owner to inform the compromised users. Nevertheless, it is reasonable to expect the company to make the information freely available so everybody can check that none of their email addresses have been compromised."

In an email to press, Simon Eappariello, SVP EMIEA, iboss network security agreed saying: “The era of companies being held to ransom by a cyber cartel needs to end. If the onus is continually on consumers to change their credentials, we will create fatigued internet users who no longer heed security advice. The key now is in forensic remediation. Under new EU regulation, companies have 72 hours to notify their customers. But how can they fix what they don't know is broken? Once the fog clears a shake-up of accountability must come centre stage. Not pay-as-you-go hacker prevention.”

Amar Singh, interim CISO and chair of ISACA, talking to also noted how the issue raised further questions, particularly in the light of the new EU laws requiring reporting of a breach. 

“What constitutes a breach? My name, email and date of birth might be on a LinkedIn page – does it require the website to have something unique that isn't anywhere else? Otherwise, where's the evidence for a breach? And for the companies affected in this breach – if they don't know they have been breached, are they liable?

"Then if we stumble upon a breach, are we obliged legally to report it – or is it just good citizenship to do so?  And as for selling the information of whether you've been breached – are you breaking a law or is it just a brilliant way to make money?”

In an email to SC, Tom Burton, a director in KPMG's cyber security practice says the biggest issue is what happens with the data, as well as highlighting password protection. He commented on the number of passwords captured saying: “Such a large amount in one go begs a question about what the attackers are going to do with the information they now possess. One possibility is that the plan is to package the information, price it and sell it according to its usefulness.

“This latest breach also offers more evidence that passwords are losing their effectiveness as a protection mechanism.  Individuals cannot possibly remember a different password for each website they use, let alone passwords with strength. In the short-term, individuals must take a more risk based approach, maintaining strong and unique credentials for those sites that would create the greatest impact if breached – such as bank or email accounts - while being pragmatic and using common passwords for sites that would be little more than an irritation if breached. 

“The next step will be the rise of consumer-driven ‘two factor authentication' using physical devices such as mobile phones to provide unique codes for each access - akin to one-time pads used by spies during the Cold War.

Geoff Webb, senior director of solution strategy at NetIQ, agrees saying: “This again signals we are reaching the end of the usable lifespan of the username/password combination to security.  The approach of making users create their own passwords simply forces this last, critical step in security into the hands of the people least qualified and least interested in making it secure: the end user.  People don't want to deal with complex passwords they use only once, and as we keep forcing users to be responsible for this security it's unsurprising we keep seeing the same results - weak passwords, reuse of passwords and breaches that cascade to many sites.”

“Organisations don't always protect passwords as well as they should - either using weak hashing algorithms, unsalted hashes, or in some cases, not even protecting the passwords at all.  Many companies don't enforce good password policies, and users employ poor password hygiene - reusing the same passwords in multiple places - meaning that any single username and password combination could present an open door to many sites.”

Singh agreed that passwords have had their day, but added that this still had to be held against the concern that making it too onerous to sign up to a website for example, would lose customers. He said: “Apple and Samsung are using mobiles as part of a multi-factor solution, but if you polled readers, how many would agree to even two-factor authentication as a minimum; how many of Google's users have signed up to their two factor option?  Ease of use is needed for mass adoption.”

Webb points out that, “Although it will be compared to the Target breach, this is a very different kind of problem - because while the Target breach stole credit cards from a retailer, it's impossible to know how many sites will be impacted by this hacker group.”

Chris Boyd, malware intelligence analyst at Malwarebytes agrees, saying: "While this sounds like a credentials disaster of the worst kind, the fact remains that we have yet to see any hard details on the various breaches – and currently no companies have come forward and admitted being affected. With zero information out there to go on, all we can say is to change your logins if you feel you must, but don't do it out of any sense of panic or impending doom. If this attack really is this wide reaching, then surely some of this information will come out in the wash eventually - with 1.2 billion passwords supposedly taken, it would be impossible for it not to.”

Svajcer also questioned the value of the data saying: “Although billions of passwords have been stolen, this obviously does not mean that its quality is high. We can expect that most of the successfully compromised services would be published by smaller companies or individuals using older, vulnerable versions of software such as WordPress, Joomla, Drupal and other popular content management systems. So the value of a single credential for a particular service may be low for potential attackers."

Webb adds: “This is a huge haul of accounts and passwords and as a result it's very significant.  It will be some time before we get a sense of how wide reaching the potential problem here is, if in fact we ever really get insight into the impact.  The sheer scale however demonstrates that we have a long way to go in securing web-facing applications.

Gavin Millard, EMEA technical director at Tenable Network Security  points out that: “Although the headline numbers are staggering, this huge password cache could be related to a handful of SQL injection vulnerabilities on popular content management system or forum applications, for example Wordpress, Drupal, phpBB or vBulletin. It shouldn't matter that hackers stole your password to a forum you frequent, but even now with all the breach headlines we see and the fraud associated with it, the fact that many users apply the same password for every internet service they use means the impact of this hack will be significant.

Webb too notes how: “Small groups of hackers are able to perpetrate this kind of immense data theft because there is already extensive information available to assist them in navigating to vulnerable systems around the globe - hackers have mapped the internet to a high degree of accuracy and that information is readily available.  Furthermore, the advent of cloud computing presents these hacker groups with massive compute power on tap for low cost.  They can use botnets to identify and attack sites, cloud compute resources to crunch the resulting data, and remain under the radar the entire time.”

Millard concludes, “Don't change your password in response to this, change your password habits by using a password manager which will enable you to have individual password per site you use, thus limiting the impact of any attack of this nature in the future.“


The US firm says that after seven months research by Hold Security's Deep Web Monitoring practice in conjunction with its Credential Integrity Services, it discovered possibly largest data breach known to date.

Explaining the attack itself, Hold says that databases of stolen credentials were acquired on the black market and used to attack e-mail providers, social media, and other websites to distribute spam to victims and install malicious redirections on legitimate systems. Later they acquired access to data from botnets to identify SQL vulnerabilities on the sites they visited, identifying some 400,000 sites as potentially vulnerable to SQL injection flaws. Using these flaws, the databases were stolen from the sites, which range from the very large to very small.


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews