Less than a dozen young Russian hackers have “audited the Internet,” as one security researcher told The New York Times, and have stolen a massive amount of usernames and password combinations that are used for login purposes on hundreds of thousands of websites. Instead of selling them on the black market, the hackers are apparently using them to sell spamming services to interested parties.
The obvious worry is that personal records will be sold online, allowing third parties with malicious intentions to pursue identity theft operations, with the help of the personal data that was stolen.
According to the findings of security firm Hold Security, the Russian group hacked over 420,000 websites, including “household names,” and smaller Internet sites, stealing 1.2 billion login details, and more than 500 million email addresses in what may be one of the biggest online heists yet. The data has been independently verified by other parties, who confirmed the database of stolen credentials is authentic.
Interestingly, “some big companies were aware that their records were among the stolen information,” but are yet to be named. Many websites targeted in the heist are still vulnerable.
The ring of hackers began as “amateur spammers” three years ago, but in April they “accelerated” their activity by partnering with another entity that may have shared with them other hacking techniques.
The group has been using botnets ever since to exploit a site and retrieve databases – the hackers used an SQL injection hacking procedure to steal the data.
“By July, criminals were able to collect 4.5 billion records — each a user name and password — though many overlapped,” the Times wrote. “After sorting through the data, Hold Security found that 1.2 billion of those records were unique. Because people tend to use multiple emails, they filtered further and found that the criminals’ database included about 542 million unique email addresses.”
This is yet another warning, following the many data breaches and online security vulnerabilities this year, for users to change on a regular basis the passwords for the online services they’re using, choose stronger passwords in combination with password managers, stop recycling the same passwords and usernames for multiple services, and update their operating systems and software