|Russian crime ring in massive Internet data heist|
In the Billion numbers.
Citing records discovered by Hold Security, the New York Times reported on Tuesday that the stolen credentials include 1.2 billion password and username combinations and more than 500 million email addresses.
Guess it is time to change them again. I never use my important passwords and user names on any site that is used for my website work.
With that number of records there's bound to be problems for some of us, too. Changing passwords is putting on sticking plasters.
Protecting the data from harvesting in the first place is the thing that cost money and resources. Clearly, businesses are going to have to invest more in their defenses.
Here's the link to the story from the NYT.
|The records, discovered by Hold Security, a firm in Milwaukee, include confidential material gathered from 420,000 websites, including household names, and small Internet sites. Hold Security has a history of uncovering significant hacks, including the theft last year of tens of millions of records from Adobe Systems. |
Hold Security would not name the victims, citing nondisclosure agreements and a reluctance to name companies whose sites remained vulnerable. At the request of The New York Times, a security expert not affiliated with Hold Security analyzed the database of stolen credentials and confirmed it was authentic. Another computer crime expert who had reviewed the data, but was not allowed to discuss it publicly, said some big companies were aware that their records were among the stolen information.link [nytimes.com]
|Protecting the data from harvesting in the first place is the thing that cost money and resources. |
1.2 Billion passwords is a big story and the news is going to "talk" about it until it no longer generates interest but the news is also doing people a disservice right now, perhaps because they don't know(or don't care to report) some basic things about internet security.
Let me explain one of the basics(in overly simple terms): Big sites like Facebook, Youtube, Twitter etc, and many smaller sites, do not know your password and thus cannot store your password for it to be stolen. That sounds strange but when you type in your password these sites run mathematical equations against what you're typing in and come up with what is called a hash value. The hash value is checked to make sure it matches the one saved for your account. As such the actual password is not stored on their servers in any way that hackers can find useful without considerably more resources than they likely have available to them.
You can protect yourself by trying to recover a password from a site you are a member of. If the site either displays or sends you your password, regardless of how many secret questions and other steps they make you take, then the site does know your password and that is a site with poor security. If, on the other hand, the site forces you to create a new password and cannot send you an old password then it's likely they don't have the password stored on their servers. They might, but it's not needed and so for security reasons it probably isn't kept.
Not knowing user passwords is in the best interest of site owners and encryption makes that possible.
I don't know if you read the whole story, but it's not just usernames and passwords. It appears there is e-mail addresses, too, and that exposes other ways into systems and services.
I read the whole story, they sent out emails as well trying to gain access with other scams as well. Basically they attacked in every way they could with the data they did get. I just wanted to point out that hash values are a far cry from actual passwords so check the sites you use to see if they create hash values or store your actual password!
The rest of the scams used don't relate to passwords.
I have to admit that I am clueless as to what specific password data the got and how they got it.
Were sites hacked?
Was it phishing?
It seems like the articles I have read have been extremely vague.
It's a combination, Planet13, of bots, malware on computers, etc. Probably phishing included.
Do remember that a bot may not have attacked your site, but may have attacked the ISP. That way some of your details might have been harvested.