Somewhere in a small city in south central Russia, a group of men in their twenties have got away with what some are describing as one of the biggest cyber-heists in history.
The gang, which has been dubbed “CyberVor” (“vor” means “thief” in Russian) by security researchers, is thought to be in possession of the largest known haul of stolen internet credentials – 1.2 billion usernames and passwords, together with 542 million email addresses.
And the data has been stolen from some 420,000 different websites.
That’s the astonishing claim being made this week by Milwaukee firm Hold Security, who have used the backdrop of the Black Hat and Def Con conferences taking place in Las Vegas this week to announce their discovery, with a little help from reporters at the New York Times.
And naturally the company isn’t being entirely altruistic with its announcement – it’s also using the opportunity to promote its penetration testing and identity monitoring services. I must admit, how they have gone about things has left a bad taste in my mouth.
Frustratingly, Hold Security isn’t saying what sites have been hacked, or given users any method to determine if their account credentials might have been included in the haul. So quite how the average computer user is supposed to respond to an announcement with such a lack of actionable detail is anybody’s guess.
All the researchers said is that the gang amassed its treasure trove by using botnets to identify websites with SQL injection vulnerabilities, and scooping up their data.
It seems unlikely that all of the websites have been informed of the problem either, considering the number said to have suffered breaches. Hold Security’s founder Alex Holden told the New York Times that websites around the world have been affected, including ones in Russia where the hackers are said to hail from.
“Hackers did not just target U.S. companies, they targeted any website they could get, ranging from Fortune 500 companies to very small websites. And most of these sites are still vulnerable.”
I have no doubt that the scale of the CyberVor hacking gang’s ill-gotten gains will make numerous headlines over the coming days, but what I would rather see is Hold Security share comprehensive details of what it has discovered with the public, and for clear advice to be shared with organisations and individuals on how to avoid becoming victims in future.
Website developers, for instance, should ensure that they have reviewed their code for SQL injection vulnerabilities, as well as other commonly found flaws.
It’s also a shame that Hold Security didn’t work with a service like haveibeenpwned, created by researcher Troy Hunt, that helps users determine if any of their accounts had been compromised. Mind you, the scale of the alleged find might have made that problematical.
For the average man and woman in the street to determinine how best to protect the details they share with third-party websites is tricky.
Whenever you create accounts online you are putting trust in the hands of web developers that they are properly securing your information. The very best you can do is enable additional security measures (such as multi-factor authentication when made available), and ensure that you never reuse the same password nor choose a password that is easy to guess or crack.
Because one thing is clear: The Russian CyberVor gang may or may not be sitting on one of the largest cybercriminal hauls in history, but unless we all work harder to keep our private information safe and secure, this is not going to be the last time that you’re waking up to newspaper headlines of stolen passwords.
Author Graham Cluley, We Live Security