A Russian gang dubbed ‘CyberVors’ has amassed an astonishing 1.2 billion unique web credentials stolen from 420,000 different web and FTP sites, US security firm Hold Security has reported after researching the vast scale of Internet data theft over a period of months.
The news shouldn’t be surprising although in the way of security reporting it is being promoted as such; data breaches have been legion for many years and all of this data goes somewhere. That is ends up in criminal databases that can be exploited for years is not a new discovery.
What the Hold Security revelations do offer us, however, is a way of honing in not on the theft of data but where it ends up and how it is being exploited on a huge scale. Away from the pain of big brands embarrassed down by poor security, that has always been the real story.
Hold Security said it had discovered a total of 4.5 billion records, of which 1.2 billion appeared to be unique once duplication had been taken into account. The firm didn’t say how many of these actually work – many will have been changed after a publically reported breach – but it is probably at least hundreds of billions.
“Initially, the gang acquired databases of stolen credentials from fellow hackers on the black market. These databases were used to attack e-mail providers, social media, and other websites to distribute spam to victims and install malicious redirections on legitimate systems,” said Hold Security’s publicity note on the revelation.
The CyberVors gang (named after the Russian word for ‘thief’) had bulked this out by detecting SQL vulnerabilities using botnets, stealing data from these sites on an industrial scale.
“Whether you are a computer expert or a technophobe, as long as your data is somewhere on the World Wide Web, you may be affected by this breach.”
An interesting detail about the unnamed gang is its location, not just in Russia but a remote part of that country in the deep south. Russian gangs in this business used to be associated with St Petersburg but circumstantial evidence suggests the industry is now located in more remote parts of the country.
The suspicion has always been that the Russian Government tolerates criminals because they overwhelmingly attack targets in other countries, but the migration to southern Russia implies that it might be more complicated than this.
“This discovery highlights the need for companies to inform their users as soon as possible if they think their servers have been compromised as our only defence is using different information online,” commented ESET’s Mark James.
“The only real way of targeting this problem is to not use email addresses as logins. Websites should give you the opportunity to use a login name that you have full control over, rather than just using the same email address across multiple sites.”