A team of hackers based in south central Russia stole over a billion passwords from sites large and small, The New York Times reported Tuesday.
The breach, conducted by a hacker group called CyberVor and discovered by a computer security firm, is the largest known to date but continues a trend of mass credential theft:
In December, 40 million credit card numbers and 70 million addresses, phone numbers and additional pieces of personal information were stolen from the retail giant Target by hackers in Eastern Europe.
And in October, federal prosecutors said an identity theft service in Vietnam managed to obtain as many as 200 million personal records, including Social Security numbers, credit card data and bank account information from Court Ventures, a company now owned by the data brokerage firm Experian.
The CyberVor hack appears impressively large (1.2 billion accounts stolen from 420,000 sites) but a number of commentators are skeptical that the breach is as extensive as the Times reports.
At Forbes, Kashmir Hill questions Hold Security, the firm the Times sourced its information to, for withholding information about what sites were hacked, and standing to benefit from the breach itself:
Panic time, right? You can’t even change your passwords to protect yourself because you don’t know which websites are affected or if they’re still vulnerable. This is the worst kind of news, spare on details and causing a panic without offering a solution. Oh wait, but there is a solution! You can pay “as low as $120″ to Hold Security monthly to find out if your site is affected by the breach . Hold Security put a page up on its site about its new breach notification service around the same time the New York Times story went up.
Then there’s the issue of what CyberVor is or isn’t doing with the stolen user names and passwords.
Via Lily Hay Newman at Slate:
Strangest of all, the Times reports that the hackers are mainly just using the credentials to hack social media accounts and spam them. Which is weird, because when criminals steal valuable things, they usually try to sell them. Or if they steal things that give them access to money they take the money. So maybe the credentials aren’t that valuable on their own.
Russell Brandom at The Verge points out that CyberVor may have purchased the bulk of the credentials off the black market which, while serious, isn’t as disastrous as a full-fledged, successful botnet attack.
Still, the breach is a strong reminder of our collective vulnerability, and underscores the inadequacy of username password combinations. Increasing one’s personal digital security requires a few extra steps. While not foolproof, Newman offers some sensible recommendations:
The key is adding extra layers of protection. Using a password manager, or at least randomly generating strong passwords, eliminating duplicate passwords used on multiple accounts, and adding two-factor (or multi-factor) authentication everywhere it’s offered are all readily available steps that can help you protect yourself.
Takeaway: Digital security threats and the cybercrime that accompanies it cost the global economy somewhere in the neighborhood of $400 billion per year and affects tens of millions who have personal information stolen.
That said, articles such as this one from The New York Times oversells (1.2 billion credentials stolen!) and under-delivers (but we can’t tell you who might be at risk). With scant details on what individuals can do outside of paying its primary source for an audit, the worry is there’ll be a lot of hype with very little information to take action on.
1. Forbes clarifies that $120 is a yearly monitoring cost at $10/month.