Sophos Cloud Optix
Hackers have amassed a vast collection of stolen data, including 1.2 billion unique username/password pairs, by compromising over 420,000 websites using SQL injection techniques.
That’s according to security monitoring and assessment firm Hold Security, whose past record includes work on uncovering last year’s Adobe source code leak.
Researchers monitored the gang for over seven months, thought to be “fewer than a dozen men in their 20s who know one another personally” based in a small city in central Russia.
They found that the group, working together since at least 2011, had rented time on bot-infected machines around the world, and rather than the more standard techniques of sending masses of spam, distributing malware or monitoring the infected system to catch banking logins, had instead monitored each and every website visited by the compromised host’s user, probing for vulnerabilities to SQL injection attacks.
Vulnerable sites were then plundered for any data they could be tricked into leaking, which was added to the gang’s epic cache.
By the time it was acquired by Hold Security, this amounted to 4.5 billion records, including the 1.2 billion unique login pairs and over half a billion unique email addresses. The data has apparently been verified as genuine by an independent expert at the behest of the New York Times.
SQL injection attacks are one of the most common ways of compromising web-facing systems.
Databases are used by websites to store all sorts of information, including sensitive data like passwords and credit card details.
Because of their sensitivity these databases are not publicly accessible and are only visible to the website that uses them. But if that website is not coded with security in mind attackers can use the website as a go-between that gives them indirect access to the database.
Although this haul is staggeringly large the infrastructure and techniques required to perform the attack are nothing new, according to SophosLabs’ Senior Threat Researcher James Wyke.
A large proportion of all the malware families that we see form some sort of botnet. In fact there are relatively few categories of malware that don't.
Even those that don't are often spread through botnets - CryptoLocker was spread via the Gameover Zeus botnet for example.
Botnets themselves can be extremely large. We estimated that the ZeroAccess botnet managed to infect over 9 million machines and the number of Gameover infections was also in the millions.
If you want to understand more about botnets and what they do listen to our TechKnow podcast with James and Naked Security’s Paul Ducklin.
(Audio player above not working for you? Download to listen offline, or listen on Soundcloud.)
The researchers who uncovered the cache of data have described the technique as “possibly the largest security audit ever”.
Of course, the huge numbers will be inflated by the inclusion of expired and throwaway logins, but given the general state of password security it seems inevitable that a pretty large number of people will be at some sort of risk from this mass harvesting.
At the moment, apparently, the gang, which Hold has dubbed “CyberVors” from the Russian for “thief”, are mainly using the data to provide social network spamming services, but it could easily be used for any kind of account hijacking or identity theft in future.
It also seems inevitable that with such a large haul from such a wide range of sites, there will be more than just usernames, passwords and email addresses in there, not least social security numbers and payment card information.
The researchers say they are working through the list of vulnerable sites, informing the owners and urging them to shore themselves up, but with close to half a million to get through that could take some time.
They’re also working on a secure way of allowing people to check the dataset for their own passwords to see if they’ve been compromised.
Hold Security is proud to announce that we will be providing full electronic identity monitoring service to all the individuals within the next 60 days.
That isn’t how these kind of breaches are normally handled, SophosLab’s Principal Virus Researcher Vanja Svajcer explains:
This is quite an unusual approach to remediating an alleged major credentials compromise. For a long time the security industry has freely shared information on breaches within its own community.
Researchers discovering credentials breaches usually help end users either by making the information about compromised accounts public or by working with the company whose servers were compromised ... it is reasonable to expect the company to make the information freely available so everybody can check that none of their email addresses have been compromised.
Sixty days is a long time to wait. If you can’t find out if you’re affected what should you do today?
Website users
There is currently no way to tell if you have been affected by any of this. The owners of the affected sites are being informed and hopefully they will tell their users in turn.
Because the sites that were successfully attacked were compromised by easily-avoided vulnerabilities it’s prudent to assume those sites didn’t secure the data in their databases properly either. Even strong passwords are at risk if they aren’t stored correctly.
That means a large, random selection of people have had their personal data compromised and the only reasonable security precaution is to assume you’re one of them. We recommend that you:
- Change your website passwords.
- Use a unique password for each website.
- Use two-factor authentication wherever you can.
- Check bank and social media accounts for suspicious behaviour.
Website owners
This data haul may yet turn out to be a ‘Heartbleed’ moment for website owners who assume their sites are too small to be of interest to hackers.
The gang that amassed this giant data haul didn’t discriminate between popular or unpopular, large or small. All that mattered was vulnerability.
Fortunately SQL injection attacks are easily defeated by simple coding practices.
If you run a website, we recommend that you:
- Install a Web Application Firewall.
- Harden your website against SQL injection.
- Make sure your users’ passwords are stored safely.
- Enable two-factor authentication for your users.
Further information
Learn more about server-side safe password storage in our Serious Security article How to store your users’ passwords safely.
Yeah, and it’s totally natural that this “firm” created their website an FB page 30 days ago, and ask users for their passwords to “verify hte hash” as they know the encryption method of the 420000 hacked websites…
I seriously thought you were better at security and investigation than any major news website, guess i was wrong.
It’s clear that Hold Security have a big PR push behind this and yes, it seems that they created their Facebook page on July 1st probably as part of that PR push but you make it sound as if they just magically popped into existence, they didn’t.
Their website has been around considerably longer than that and this isn’t the first big story they’ve been involved with. They helped uncover the absolutely enormous breach of Adobe data last year.
Am I going to apologise for their behaviour though, no I’m not. Are they behaving strangely? Yes, we say so in the article. We don’t know why, all we can say is that this isn’t the way that companies normally deal with a data breach. Perhaps they felt they didn’t make enough hay from the Adobe breach.
As to the encryption methods, again it’s behind closed doors so we don’t know what they’re up to but remember that 19% of websites run WordPress and 6% run Drupal. That’s one quarter of the web. If you hoover up credentials from small websites you’re going to hit a lot of passwords stored in exactly the same way.
I reckon I have the 30-days stuff wrong, I happened to read a bit quickly, but i will still maintain this “hack” is utter BS, I’ve never seen a fishier security breaking news in my life.
Not even being a troll.
Mitch.
as yoda would say, in a “star vors” message,
“protect from the dark side, you must”
“tor wars” ??
may beeeee…………………………….
web analytics monitor traffic, maybe use onion routing for page tagging and packet sniffing 🙂
But if I change my passwords, can’t they just get them again? Has anything been “fixed” so they can’t get them?
No, but don’t give up hope.
Whenever you give private information to a website you run the risk of that website being knocked over and your data falling in to the wrong hands. That didn’t start today and it won’t end tomorrow (and neither did criminals systematically scanning websites for vulnerabilities).
If you use a strong password and the site stores the passwords correctly then your password is still all but useless to the criminals even if they crack the database that stores it.
Of course you’d rather they didn’t even get the chance to do that and I think that situation is improving to. The free, open source, Content Management Systems used at the small website level have really got their act together and are much more resilient to SQL injection than they used to be. It’s rare that the core software in those systems is vulnerable and when it is they fix it pretty sharpish.
The problem for those popular CMSs is now in their plugins and with the number of people using out of date versions. I expect to see progress on both those fronts.
Yeah, this seems like a *totally legitimate* company. $120/year to be told if your credentials are compromised, and then you have to give them your passwords for verification.
Think I’ll stick with Troy Hunt’s free offering, thanks.
I’m curious to know how a company like Hold Security can determine that the average age of a group like this is 20-something and know how well they are affiliated with each other? The New York Times even states “…the group started out as amateur spammers in 2011 buying stolen databases…” – huh? How can someone know this?
So sometime in the next 60 days Hold will be announcing a way to scan the database of stolen info – how long before the bogus offers to check come out?
There’s also the lack of observable evidence to back this up – it’s unknown for attackers to lift more than a few hundred passwords without grabbing the databases from the servers, yet we haven’t witnessed a batch of companies notifying anyone of data breaches.
I call BS on Hold Security’s story. No criminal group stole 1.2 billion passwords, and I claim my £5.
With odds of a billion or so to one that my login info will be used against me, I’ll be spending my money on lottery tickets rather than send it off to Hold Security.
Meanwhile, I’ll just continue my normal schedule of “password refreshing”.