Experts say the reported heist of 1.2 billion account credentials is legit, but caution that for most people there’s little they can do — or should be worried about.
LAS VEGAS — There’s a good chance that one of your email accounts is among the 1.2 billion accounts compromised in what appears to be the largest credential heist ever.
But experts have two words for you: Don’t panic.
The database of credentials stolen by the criminal organization CyberVor and discovered by security firm Hold Security covers an enormous number of records. Some 1.2 billion username and password combinations and 542 million unique email accounts were lifted from 420,000 compromised domains, according to The New York Times.
“In the latest development, Hold Security’s Deep Web Monitoring practice in conjunction with our Credential Integrity Services discovered what could be arguably the largest data breach known to date,” Alex Holden, founder of Hold Security, said in a statement on the company’s blog.
While 1.2 billion purloined credentials sounds scary, security experts who gathered in Las Vegas for the annual Black Hat hacker conference this week say that there’s little cause for concern.
“There’s nothing to see here, move along,” said CrowdStrike president and chief security officer Shawn Henry. A former executive assistant director of the Federal Bureau of Investigation with extensive experience in the world of cyberattacks and geopolitics, Henry added that he was surprised that people were shocked by the news.
“This is the aggregate of lots of breaches, an example of fragility of the online world in which we operate,” Henry said.
Research analyst Andrew Conway, who works for the Web and messaging security analysis firm CloudMark, also expressed skepticism at the perceived severity of the report.
“My take is that everything in the story is true,” said Conway. However, he added, “It was presented in the most alarmist possible way. The big misconception is comparing this with something like the Target breach. There’s no evidence that any financial data was involved.”
Retail chain store Target was attacked by hackers over the holiday shopping season last year, making off with not only username and passwords but credit card information affecting 110 million people.
There’ve been several high-profile database hijacks in the past year, including ones at eBay, comic book reader and marketplace Comixology, Web standards consortium W3C, Michael’s craft stores, andAdobe, which Hold Security helped uncover.
How to protect yourself
While it’s possible that CyberVor’s database does include financial data, it hasn’t been disclosed. Given that it affects around 420,000 domains, it could take months before that gets confirmed. Most US states have laws that mandate that they notify their customers when user information is stolen in an attack.
While you can pay Hold Security for a monitoring service that takes the bizarre step of asking for your passwords, it’s better to just change them. Using password management tools like LastPass, RoboForm, or 1Password can make that easier. It’s also a good idea to turn on two-factor authenticationfor all your mission-critical accounts, such as your primary email account.
Conway said that he sees around 100,000 compromised domains every six months, but they’re not all newly compromised, as it can take months or years for companies to realize that they have an untended website being used for nefarious purposes.
The real issue at hand isn’t the records in the database, Conway said. More than a billion records may sound like a lot, but when you consider that many people have more than one email account, the chances of the breach affecting 50 percent of global Internet users, estimated at around 2.5 billion people, drops significantly.
A bigger concern to Conway is that SQL injection attacks are still being used at all. SQL injection attacks occur when a short, malicious script is inserted into a database that feeds information to the Web site.
“This is nothing sexy. Of the 5,000 people at the [Black Hat] keynote speech [Wednesday morning], every single one of them could’ve put together a SQL injection,” he said.
Chris Eng, vice president of research at application security company Veracode, agreed that lax security practices by website and domain owners contributed greatly to the problem.
“It’s one of the simplest coding vulnerabilities to fix,” said Eng, who first began public presentations on SQL attacks 15 years ago. “In 99 percent of the cases, it’s a two-line fix, and we haven’t been able to eradicate it.”
The New York Times report on the database has been heavily criticized. Some people have complained that the timing of the news is suspect, published the day before Black Hat, even though that’s a common publicity tool for security firms to build interest in their reports.
Others have criticized Hold Security and Holden for refusing to divulge which companies’ domains were included in the database, but offering to sell a monitoring service for $120 a month.
Holden did not respond to a CNET request for comment.
The New York Times told CNET it stands by its story.
“Our story was meticulously reported and completely transparent about the financial incentives of Hold Security,” a Times spokeswoman said, but some experts said more details are needed.
A key fact missing from the Times’ report, said Kurt Stammberger of the Internet attack research and analysis firm Norse, was how long CyberVor took to build the database.
“If this was done in past three months, that’s impressive and scary,” he said. It’s far less so, he said, “if it was slowly gleaned from armies of bots [automated hacking networks] over 5 years.”
From Russia, without love
Other people have suggested that because Holden is originally from the Ukraine and fluent in Ukrainian and Russian that he’s somehow connected to the Russian hackers who stole the information in the database. Independent security reporter Brian Krebs, who serves in an unpaid capacity on Hold Security’s advisory board, defended Holden as an “honest guy” whose research has been “central” to his own reporting.
There’s also been speculation that the database is somehow connected to the ongoing conflict between Russia and the Ukraine.
“It’s probably not related,” said Mikko Hypponen, the chief technology officer at F-Secure who has monitored cyberattacks and geopolitical confrontations for more than two decades. “For all the skills in the region, I expected to see more.”
On-the-ground conflicts contribute to cyberattacks because law enforcement agencies, the traditional enforcers of anti-cybercrime law, are reluctant to get involved when there are armies at play, said Kenneth Geers, who up until recently was a senior global threat analyst at FireEye and moved to the Ukraine last month.
CrowdStrike’s Shawn Henry said that these kinds of cyberattacks, whether simple SQL injections or more advanced attacks, will continue until Russia starts taking cybercrime seriously. He noted that Romania used to be such a hotbed of cybercrime that eBay and other tech giants blocked all connections from Romanian IP addresses until the Romanian government passed new laws and actively enforced them.
“If we had a host government, Russia in this case, that was actively and aggressively pursuing adversaries who are engaged in illegal activity, we’d be in a stronger place,” Henry said.
“This is not a US problem, this is a global problem” that requires “economic, diplomatic, and civil actions. This is a long term problem with no short term solution,” he said.