1 billion credentials stolen by hackers: SSO Alert Priority High
7 August 2014
Reports are emerging about a vast series of data breaches, affecting approximately 420,000 websites across the world, ranging from well known ‘Fortune 500 companies’ and ‘household names’ through to ‘very small websites’.
Approximately 4.5 billion records, comprising 1.2 billion unique ‘credentials’ (such as usernames and passwords) and an estimated 500 million unique email addresses have been stolen by hackers over a period of many months.
A US-based security firm Hold Security identified the breaches and has been communicating with Russian hackers it says are in possession of the stolen data.
It has not released the names of the hacked websites making specific recommendations in response to these events difficult.
Our best current advice is to assume your information may be affected and change your password for any sensitive sites which concern you. You should be changing your password regularly anyway as a matter of good practice. Read our other suggestions below.
Hold Security says the gang initially acquired stolen credentials from fellow hackers on the black market which it used to attack email providers, social media and other websites to distribute spam and install malware. It was also able to gain access to data from a botnet (a ‘zombie’ network of infected computers that can be remotely controlled) which it used to ‘audit the internet’ identifying websites that were vulnerable to SQL injection ( a common method used for hacking websites). It then used SQL injection to steal data from these sites.
According to the New York Times, independent security experts have confirmed the authenticity of the stolen data.
The New York Times reports that websites from outside the US have also been targeted, and that to date, the criminals have largely focused on obtaining identity credentials. They have, ‘not sold many of the records online. Instead, they appear to be using the stolen information to send spam on social networks like Twitter at the behest of other groups, collecting fees for their work’.
With such a significant amount of data and number of websites affected, there is a likelihood your information could be involved.
If you are concerned about your data you should evaluate the sites you use and consider taking action to change your passwords and improve your security.
More information is likely to emerge in coming days.
What can you do?
Companies need to ensure their websites are secure against SQL injection attacks. The announcement includes an assessment that most of the hacked sites are still vulnerable and that hackers are still collecting data.
For individuals, because we do not know which sites are involved or details about the stolen data, it will be difficult to know what impact this may have on you or what actions you should take.
As a precaution you should assume your data is affected and change your password for every site which concerns you, particularly if you have provided financial information to that site.
You may prefer to wait for further information before taking more specific action, so you should also be aware that affected sites may not necessarily be named.
Other suggested actions include:
Changing your password for each website of concern to you and anywhere else you have reused that password. It is good practice to regularly change your passwords for all sites anyway.
Enabling two factor authentication if offered by the site.
Monitoring your bank accounts or contacting your bank.
Staying vigilant about potential spam or use of your email address and other personal information by scammers.
It is likely tools such as ‘password checking sites’ will be released in coming days which enable you to check to see if your information is included in the stolen data.
These can be extremely useful tools to help you clarify if and how you are affected, but you should also note that fake password checking sites have emerged in response to similar breaches in the past, so be sure you can trust the site before you enter any information. Remember they could be phishing for your username and password.
Stay Smart Online will provide updated information when available.
Hold Security’s announcement about the breach. Please note, Hold Security is also offering a (for cost) password checking service in response to this incident which may have some bearing on the warnings made in its announcement.
The information provided here is of a general nature. Everyone's circumstances are different. If you require specific advice you should contact your local technical support provider.
Thank you to those subscribers who have provided feedback to our Alerts and Newsletters. We are very interested in your feedback and where possible take on board your suggestions or requests.
This information has been prepared by Enex TestLab for the Department of Communications ('the Department'). It was accurate and up to date at the time of publishing.
This information is general information only and is intended for use by private individuals and small to medium sized businesses. If you are concerned about a specific cyber security issue you should seek professional advice.
The Commonwealth, Enex TestLab, and all other persons associated with this advisory accept no liability for any damage, loss or expense incurred as a result of the provision of this information, whether by way of negligence or otherwise.
Nothing in this information (including the listing of a person or organisation or links to other web sites) should be taken as an endorsement of a particular product or service.
Please note that third party views or recommendations included in this information do not reflect the views of the Commonwealth, or indicate its commitment to a particular course of action. The Commonwealth also cannot verify the accuracy of any third party material included in this information.