It’s Time to Change Passwords Again; 1.2B Stolen

If you follow me on Twitter (@SecAdept), you probably noticed me mention last week’s huge credential leak. If not, take note as it’s probably time to change your passwords again.

Last week, The New York times released a story about Russian hackers sitting on a dump of over 1.2 billion stolen credentials (usernames and passwords)… Yes, that’s billion with a b.

The New York Times based their story on information from Hold Security, a research firm that helped track the Adobe and Target breaches. According to a blog post, Hold Security’s researchers identified a Russian cyber gang (who they call CyberVor) sitting on a dump of 4.5 billion credentials; 1.2B actually being unique. They say the group also has over 500 million unique email addresses. This huge repository of data wasn’t the result of a single attack, rather a long term botnet campaign that allegedly leveraged SQL injection (SQLi) attacks to steal this information from over 420,000 vulnerable web sites.

Other than that, not much is publicly known about this campaign of credential thefts. In fact, some find this news somewhat suspicious, since Hold Security hasn’t shared all the relevant details yet. For instance, they haven’t said whether or not the stolen credentials are hashed, which would at least impose a small roadblock on those trying to leverage them. They also haven’t shared any physical data about this leak, at least publicly. Furthermore, they seem to be charging for a subscription service to tell you whether or not you are affected. That said, Hold Security is a well-known and respected group that even has the backing of Brian Krebs. Lying about a breach of this magnitude would be business suicide.

So the obvious question is, what should you do? It’s pretty simple actuallyif not a bit irritating. Change all your passwords! I know it’s a pain in the butt, but if this is true, bad guys probably have access to at least one of your passwords. You should use this as an excuse to change your password on every important site. I highly recommend using a different password on every site, and using a password vault to help you create and remember all these strong passwords.

One last aside. A few folks have asked me if they should get new credit cards. So far, there have been no reports that these Russian hackers are sitting on any credit card details. So currently, there is no need for any panic there. If news of credit card leaks comes out, your credit card company will likely inform you if you’re affected. — Corey Nachreiner, CISSP (@SecAdept)

About Corey Nachreiner

Corey Nachreiner has been with WatchGuard since 1999 and has since written more than a thousand concise security alerts and easily-understood educational articles for WatchGuard users. His security training videos have generated hundreds of letters of praise from thankful customers and accumulated more than 100,000 views on YouTube and Google Video. A Certified Information Systems Security Professional (CISSP), Corey speaks internationally and is often quoted by other online sources, including C|NET, eWeek, and Slashdot. Corey enjoys "modding" any technical gizmo he can get his hands on, and considers himself a hacker in the old sense of the word.

5 Responses to “It’s Time to Change Passwords Again; 1.2B Stolen”

  1. Is there any point in changing passwords if the web sites have not been fixed?

    • David,

      You make an interesting point, but it’s hard to say with so little information about this alleged credential dump. They say the attackers collected this info from 420k sites over years, so logic suggests some of the affected sites may have (hopefully) cleaned up the SQLi flaw that allowed the attackers in… but no one knows for sure. All this is based on what Hold Security said. You are right though… if the SQLi flaws are still in the affected sites, there is little point changing your password until they fix it (other than perhaps it would force the attackers to go back and re-exploit, which could be time consuming for 420k sites).


  2. Uh, yeah, about that …
    I’m not saying Alex Holden is lying, or even mistaken, necessarily. But I think he might puffing things up just a wee bit. And Brian Krebs’ backing basically means that he believes Holden, i.e., it means nothing.

    • John,

      I kinda of agree with you and the site right now. I felt compelled to report on the story since so many had picked it up, and it doesn’t hurt much to change passwords in case it is correct. However, it is really suspicious that they haven’t shared any more data about the leaks. Time will tell…

    • Yikes, I just lost a bit of respect for Krebs. I don’t think he mentioned that he is part of Hold Securities advisory board when he backed them…

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: