True or not, Russian ‘hack of the century’ means the password is now obsolete

7 Aug 2014

If proven true, the data heist by a Russian cybercrime gang should send a shiver down the spine of every person on the planet with a username and password.

Yesterday it emerged that a Russian cybercrime gang became internet enemy No 1 after allegedly amassing 1.2bn username and password combinations from vulnerable websites.

Hold Security revealed more than 500m email addresses are in the possession of the gang after they methodically trawled through 420,000 of the most secure websites on the internet.

We spoke to security experts Brian Honan from BH Consulting, Tom O’Connor from, and Dermot Williams from Threatscape to see how real the threat is and what internet users should do to protect themselves.

The first question is whether or not the heist really happened.

Heist almighty!

“Without more details from the security company that claims to have found this database it is difficult to determine exactly what happened,” says Honan. “However, whether or not this 1.2bn user credential database actually exists there is a huge amount of compromised details available on the internet and this story reinforces how weak security and poor password management by companies has led to the exposure of people’s passwords.”

O’Connor, however, believes the threat is very real. “Such a botnet was discovered by Krebs on Security in December 2013 by the name of ‘advanced power botnet’, so it’s extremely likely that such an amount of logins could be collected this way from hacked website databases.

“In fact, you will see the same security guy Alex Holden (from Hold Security) mentioned in the Krebs report. It seems Holden must have kept investigating the matter which lead to this.”

Williams also believes the threat to be accurate. “I’ve not seen evidence of it personally but The New York Times is saying that the security company who disclosed the attacks (Hold Security, presenting at the Black Hat conference in Las Vegas this week) allowed them to independently verify things to their satisfaction. Hold Security offers a range of services for both companies (is your website vulnerable?) and individuals (have your credentials been stolen?) so some are accusing them of self-promotion – but the overall scale of the data theft involved seems to be accurate.”

The Russian cybercrime gang behind the heist

So who are the cyber-criminals behind this attack? “They appear to be a small team of around a dozen young Russians who are basically making a living from hacking and spamming,” says Williams.

“They relied on some of the traditional tools of attackers, including planting malware on victims’ PCs, and then using them to scan for SQL injection exploit opportunities on sites the infected PCs visited in order to find vulnerable sites they could steal data from. The staggeringly large number of websites which they apparently compromised over time suggests that they were able to widely exploit SQL vulnerabilities in one or more website building blocks, such as a content management system, blog platform, or similar.  

“I’ve not seen details yet about just which SQL vulnerabilities or software they may have been targeting but as well as the large number of websites it has also been suggested that they range in size from very small up to some very big names so I am assuming they must have found unpatched holes on some very widely used platforms, such as WordPress, Joomla, Drupal, blogging modules or similar.”

Explaining how SQL injection flaws work, Honan says, “If the infected PC identified such a website, it would send the details back to the criminals who would then break into the vulnerable website. The gang could have gathered this information from existing dumps of password databases that already exist on the internet, for example those for LinkedIn, Adobe, and the Forbes breaches. Alternatively, they could have purchased some of the credentials from other criminal gangs. There is a very active underground market where criminals buy and sell user details.”

The butcher’s bill for you and I

For most people, the anchor of their online identity, and their credentials for e-commerce transactions, is typically the same or similar set of usernames, email addresses and passwords.

The big question now is what does this mean for ordinary internet users and what should they be doing about it?

As far as O’Connor is concerned, this is the signal that the password as we know it is obsolete. “The day of the password is obsolete. It’s becoming impossible to keep a password. If someone has your email and password and you use it on PayPal, Facebook, Gmail, they could have it so change it.

“Also invest in the latest security software. Some websites are coming online today to check if peoples’ information has been breached.”

And what has been the damage so far if the criminals have your details?

“The indications are that it is usernames, email addresses and passwords that were taken,” Williams points out. “As is always the case with attacks of this nature, users need to be aware that not only is their account at the compromised site now at risk, but if they have reused the same password elsewhere, then other sites and accounts could be at risk.

“Attackers have tools which can quickly scan hundreds of popular sites to see if the same credentials have been reused. Securing your access to sensitive or valuable online systems such as bank accounts or email with the same password you use on a smaller and likely less secure site is very poor digital security practice and will almost inevitably cause you problems eventually.

“Also, the fact the users have a large block of email addresses means that affected users are likely to already be seeing an increase in spam email, much of which may be malware or attempt to trick them into visiting infected websites.”

As Honan sees it, the login details of every user is now in the hands of the criminals. “They could also have other personal details that may have been exposed while they accessed the insecure websites. Finally, the database also contains a list of websites that have security weaknesses in them. This information can be used by the criminals, or sold to other criminals, to break into those sites again and steal more information.”

Honan recommends ensuring you are using secure passwords and that you are not reusing the same password across other websites.

“Where possible – for example, for Facebook, Gmail, Twitter – and a number of other sites, you should implement additional security measures, such as two-factor authentication using your mobile phone. You should also regularly change your passwords. To make the management of passwords easier you should also employ a password manager application such as 1Password, LastPass, or Password Sage.”

Williams agrees that password manager programmes are worth using. “LastPass and KeePass are two of the more popular ones. And practice the normal prudent online safety procedures, such as being suspicious of unsolicited email messages and not opening attachments or clicking links they may contain, using and updating a good antivirus package, installing all the latest software patches for your operating system, web browser and plugins.”

Who’s to blame?

Ultimately, Honan believes, the fault lies in the hands of the companies that accepted the passwords, email addresses and usernames in the first place.

“Attacks via the internet are inevitable, however, that does not mean a security breach is inevitable.

“Proper defences and effective monitoring can prevent the majority of attacks. If reports are true that the data were compromised using SQL injection techniques then the companies that held this data could have done more to eliminate this attack vector.

“SQL Injection vulnerabilities are well known and documented, as are the ways to prevent them, so there is really very little excuse for a company to have these vulnerabilities in their application.”

Hacker image via Shutterstock

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years