Russian Gang Amasses Over a Billion Internet Passwords

[Monroe]

Russian Gang Amasses Over a Billion Internet Passwords

 

By NICOLE PERLROTH and DAVID GELLES

 

AUG. 5, 2014

 

http://www.nytimes.com/2014/08/06/technology/russian-gang-said-to-amass-more-than-a-billion-stolen-internet-credentials.html?_r=0

 

A Russian crime ring has amassed the largest known collection of stolen Internet credentials, including 1.2 billion username and password combinations and more than 500 million email addresses, security researchers say.

 

The records, discovered by Hold Security, a firm in Milwaukee, include confidential material gathered from 420,000 websites, ranging from household names to small Internet sites. Hold Security has a history of uncovering significant hacks, including the theft last year of tens of millions of records from Adobe Systems.

 

Hold Security would not name the victims, citing nondisclosure agreements and a reluctance to name companies whose sites remained vulnerable. At the request of The New York Times, a security expert not affiliated with Hold Security analyzed the database of stolen credentials and confirmed it was authentic. Another computer crime expert who had reviewed the data, but was not allowed to discuss it publicly, said some big companies were aware that their records were among the stolen information.

 

“Hackers did not just target U.S. companies, they targeted any website they could get, ranging from Fortune 500 companies to very small websites,” said Alex Holden, the founder and chief information security officer of Hold Security. “And most of these sites are still vulnerable.”

 

There is worry among some in the security community that keeping personal information out of the hands of thieves is increasingly a losing battle. In December, 40 million credit card numbers and 70 million addresses, phone numbers and additional pieces of personal information were stolen from the retail giant Target by hackers in Eastern Europe.

 

And in October, federal prosecutors said an identity theft service in Vietnam managed to obtain as many as 200 million personal records, including Social Security numbers, credit card data and bank account information from Court Ventures, a company now owned by the data brokerage firm Experian.

 

But the discovery by Hold Security dwarfs those incidents, and the size of the latest discovery has prompted security experts to call for improved identity protection on the web.

 

.... more at the link

 

[Tommy]

It's this kind of stuff that makes me want to just wash my hands of computer technology all together.

[Monroe]

I hear you ... these days the internet isn't all that much fun anymore, not like it was when I got my first computer in 1998. It was an exciting learning experience ... sending an e-mail from the US to Australia in 2 seconds or less ... being able to shop or do banking any time of the day ... and then the scumbag crooks started showing up in greater numbers.

 

In reference to the above article in my first post there was a side article which said this:

 

"How do I know if my personal information was stolen?

 

Assume it is. The latest breach is huge, and similar attacks and smaller thefts are happening all the time.

 

Hold Security is creating an online tool to allow consumers to see whether their records have been stolen, but they are not certain when it will be ready.

 

At this point, it is wisest to improve your online security immediately."

 

... so the little sentence: "Hold Security is creating an online tool to allow consumers to see whether their records have been stolen, but they are not certain when it will be ready."

 

I don't know how that is going to work for everyone that has many passwords and accounts. If anyone reads that this tool is ready to use or available ... post the information ... I may miss the news myself.

 

 

How to Keep Data Out of Hackers’ Hands

 

http://www.nytimes.com/interactive/2014/08/05/technology/what-you-need-to-know-with-russian-hack.html

 

 

By MOLLY WOOD

 

AUG. 5, 2014

 

The numbers sound abstract: Hundreds of millions of email addresses and other types of personal identification found in the hands of Russian hackers. For people worried that they are caught in the mix, however, the discovery by Hold Security of a huge database of stolen data is very personal. But personal doesn’t mean helpless. There are common sense steps everyone can take to keep the impact of hackers to a minimum.

 

How do I know if my personal information was stolen?

 

Assume it is. The latest breach is huge, and similar attacks and smaller thefts are happening all the time. Hold Security is creating an online tool to allow consumers to see whether their records have been stolen, but they are not certain when it will be ready. At this point, it is wisest to improve your online security immediately.

 

Should I change my password?

 

The first step, as always, is to change passwords for sites that contain sensitive information like financial, health or credit card data. Do not use the same password across multiple sites.

...

 

Also from the article is this free password program ... Password Safe

 

http://passwordsafe.sourceforge.net/

 

 

I have also been using this free password generator (Secure Password Generator)  that you download and use on your computer ... you are not sending or receiving any generated passwords online ... everything secure on your computer.

 

From the web site description:

 

"Also being an offline tool makes it easy to use anytime anywhere without internet connectivity."

 

I like this program ... very flexible ... if I remember it may try to connect to the internet when first installed or used ... I just set the firewall to ignore the request in the future, if there are anymore attempts ... to check for updates or whatever. It seems to be OK.

 

 

Secure Password Generator v2.5

 

http://www.securityxploded.com/secure-password-generator.php

 

Secure Password Generator is is a free desktop based tool to quickly generate strong & secure password.

 

With a growing incidents of web server hacking and database compromises, these days there is a greater need to use strong password. This will prevent your password from being decrypted if your password hash falls into the wrong hands.

 

Secure Password Generator helps you to create strong password using one or more of the following character sets

 

    * Uppercase Letters (A-Z)

    * Lowercase Letters (a-z)

    * Numbers (0-9)

    * Special Symbols ($,#, ?, *, & etc)

 

It is very easy to use with a nice GUI interface. You can generate password of length ranging from 5 to 500 characters.

 

Also being a offline tool makes it easy to use anytime anywhere without internet connectivity.

 

It is fully portable tool and includes Installer also. It works on both 32 bit & 64 bit platforms starting from Windows XP to Windows 8.

 

... Forgot to add ... when you download and unzip Secure Password Generator ... inside the main folder there is a folder named Portable, so you can either install it or use the Portable version ... I always like portable and fooling with the registry as little as possible.

...

Edited August 6, 2014 by monroe

[Monroe]

Another article since the first news broke ...  I just went around changing passwords last month, so it should be done again? What are some of you members doing right now ... changing passwords or waiting till some of the dust settles ??? I am now using that program that I mentioned in my last post to make more difficult passwords ... Secure Password Generator. I have been using it since last year for new passwords but just last month I decided to start changing older passwords.

 

That company should be publishing all the names of web sites that were breached so people can be aware of the sites that may need a new password with or should people just go crazy changing "every" password till the next breach, and then everything all over again and again and again ... or pull the plug on entering secure sites for banking and shopping?

 

Staggering Data Breach of 1.2 B User Names and Passwords Could Worsen: Expert

 

August 06, 2014

 

http://www.foxnews.com/tech/2014/08/06/staggering-data-breach-could-worsen-expert/?intcmp=latestnews

 

The massive data breach revealed this week could be even worse than initially feared, warns a cybersecurity expert.

 

Citing records discovered by security specialist Hold Security, The New York Times reported on Tuesday that a Russian crime ring has managed to gain access to more than a billion stolen Internet credentials. The stolen credentials include 1.2 billion password and username combinations and more than 500 million email addresses, according to Hold Security, which describes the breach as potentially the largest ever.

 

This, however, could be just the tip of the iceberg, according to Richard Martinez, a Minneapolis-based cybersecurity and privacy attorney with Robins, Kaplan, Miller & Ciresi. “The potential target zone of companies that are affected by this is much larger than the ones initially impacted by the breach,” he told FoxNews.com.

 

Martinez explained that, with many consumers re-using their passwords, hackers could potentially access data from even more companies and organizations. “As staggering as the scale of this is right now, it may well be much larger.”

 

Hold Security identified 1.2 billion “unique” stolen credentials consisting of both a username and a password.  However, the Milwaukee-based security specialist says that the gang amassed a total of 4.5 billion records, stolen from more than 420,000 web and File Transfer Protocol (FTP) sites.

 

Hold Security, in a statement on its website, explained: “4.5 billion credentials seems like an impossible number, but just think of how many sites require you to register your email address and, let’s face it, almost everyone re-uses their passwords.” 

 

“The sheer number of credentials can potentially open a door to many systems and accounts,” the statement reads.

 

Citing nondisclosure agreements and a reluctance to identify companies still at risk, Hold Security has not named the victims of the hack, or revealed the number of organizations affected. However, the breach is wide-ranging, according to the security specialist. “With hundreds of thousands sites affected, the list includes many leaders in virtually all industries across the world, as well as a multitude of small or even personal websites,” it said.

 

Hold Security has an impressive track record targeting hackers, most notably when it identified 153 million credentials stolen from Adobe Systems last year.

 

The latest discovery followed more than seven months of research. Hold Security dubbed the gang, which did not have a name, “CyberVor” after “vor” the Russian word for thief.

Martinez described the heist as “another alarm going off” for consumers still reeling from high-profile data breaches at the likes of Target and StubHub. Consumers, he added, need to think seriously about password security.

 

“Refreshing the passwords is critical, not relying on the same passwords across sites is critical,” he said. “At a minimum, the sites that you rank as critical such as your bank, your bills, need unique and distinct passwords.”

 

Government and law enforcement should also take notice, according to the lawyer. “They have a critical role in this -- they need to redouble their efforts to shut down the criminal networks that are both hackers and creating a marketplace for these credentials,” he explained. “Ultimately, our economic stability is dependent on security within digital networks.”

 

Hold Security was not available for comment on this story.

...

Edited August 7, 2014 by monroe

[ROTS]

To translate this article ( at least to me )

Russian government outsource robin-hoods. Seriously who cares???? if the government does this to it's own people why should I care.

Russian Robin Hood decides to do what the goverment is allowing to happen to millions of it's own people already. Seriously what is the difference under-law or selling of information from local companies.

Some random frim in Milwaukee reported brake-in's and fired the janitor who did not pull the plug". Adobe who has made their products online only says "We know nobody loves us".

Balh blah blah more excuses make more laws. Put masks over peoples faces.

blah blah blah more places that have nothing to do with the tax payers money. Snoden was wrong keep internet security up and resign the failure acy.

It is an losing battle to actual care unless money is stolen. Anything else is a shotgum ( forget the dog fear the owner ) waiting to happen or a twist to the leg ( "Face-off" ).

Credit card numbers have no security measures. If they spend it you lose it. SUBMIT SUBMIT demand more waste of time security. Our story is lame and contains many excuses and

Blah blah lets blame some asian nations as well.

Make more terrible laws. From now on when using the internet. Everything is facebook.

 

It's this kind of stuff that makes me want to just wash my hands of computer technology all together.

 

How about invasion of privacy, home invasions, and computer brain removals. Whatever happen to the term PC????

Seriously. I believe this is not news. We have tons of fail-safes already. Why try to rally the public to get more.

[Tommy]

 

It's this kind of stuff that makes me want to just wash my hands of computer technology all together.

How about invasion of privacy, home invasions, and computer brain removals. Whatever happen to the term PC????

Seriously. I believe this is not news. We have tons of fail-safes already. Why try to rally the public to get more.

There's a great big difference between breaking into someone's house and stealing one or a few credit card numbers as opposed to just collecting mass amounts of them online in a few seconds. As for your argument about the term PCs, Macs are generally not considered PCs, so why discriminate against them?

 

Invasion of privacy, that's actually a good one. If it wasn't for Facebook or MySpace, how much invasion of privacy would there really be? So maybe you'll have a few immature people look under the bathroom stall while you're taking a dump in a public restroom, but anything you put out online is literally public domain and many are just too stupid to not control themselves and how much they choose to reveal about themselves. If something asks too much about you, then don't sign up for it! Oh, and how about when your information is put online without your permission? But I'm starting to veer way off topic...so please, go on about your business.

Edited August 10, 2014 by Tommy

[ROTS]

 

There's a great big difference between breaking into someone's house and stealing one or a few credit card numbers as opposed to just collecting mass amounts of them online in a few seconds.

1. I am talking about the "law" breaking into your homes, your email accounts, laughing at your penis pictures, and going thru your belongings.

This whole thing about "Robin Hood" is made up bs. The goverment is doing that to people right now without consent at all.

As for your argument about the term PCs, Macs are generally not considered PCs, so why discriminate against them?

 

Anything intel is not Apple. Apple OS is just an GUI front end for UNIX. That is why Apple was great. I mean create HD and bamn all Apples are garbage.

Invasion of privacy, that's actually a good one. If it wasn't for Facebook or MySpace, how much invasion of privacy would there really be?

Youtube = most traffic that was originally used for

Facebook = AOL but not restricted to AOL

Myspace = dumbed down version of website builder.

Your right without these the internet would be a better place. All they did was herd ship into an penn.

So maybe you'll have a few immature people look under the bathroom stall while you're taking a dump in a public restroom, but anything you put out online is literally public domain and many are just too stupid to not control themselves and how much they choose to reveal about themselves. If something asks too much about you, then don't sign up for it! Oh, and how about when your information is put online without your permission? But I'm starting to veer way off topic...so please, go on about your business.

Uhmmmm no it is not. The internet is very private.

I am basically comparing

A trusted nations goverment to imaginary Robin hoods. It is the governent that is doing this stuff and they are just making up things to scare people, and make them run back and forth in circles.

It is about installing fear into the voters; so they will be like "Yes Patriot Act" "Yes open doors on everyone" "Yes cop drone fly over my yard while I am nude in my private garden". "Yes more airport penis jokes". "Yes lets give away more of our land to parentless people".

Edited August 11, 2014 by ROTS

[JorgeA]

This analysis throws a somewhat different light on the subject:

 

Security firm that revealed “billion password” breach demands $120 before it will say if you’re a victim

 

I’ve been chased all day by the media, wanting to get my view on the New York Times story claiming that a Russian gang has been found sitting on a mountain of over one billion stolen usernames and passwords.

 

[...]

 

The reason for my uncharacteristic reticence to mouth off about a security breach? Well, there was an alarming lack of information supplied by Hold Security in its official statement about the discovery and something just didn’t “feel right”.

 

And although I did end up reporting on the story myself on the We Live Security blog, something kept nagging in the back of my mind…

 

At first, Hold Security said that it could not name sites that had been breached because of non-disclosure agreements.

 

However, it transpired that Hold Security was blatantly using its discovery of a mountain of stolen credentials as a brazen sales pitch for its new breach notification service. For as little as “$120/year with a two-week money back guarantee” you can be alerted if your site is discovered to have suffered an attack.

 

(There's more at the link.)

 

As Cluley (a cybersecurity researcher) says, there's probably something to this, but then the way the discoverer wants to handle it is also fishy:

 

 

 

Personally, I don't plan to change any passwords anywhere as a result of this. Among other things (as I read somewhere), because Hold Security has been so private about which websites exactly were compromised and how, you can't know if any given website was compromised -- meaning that if you change your password now, you can't know if that'll do you any good. If a site hasn't been notified of the breach, it can't fix whatever the problem may be, thus the hackers may have continuing access to it and to any new password you enter.

 

--JorgeA

 

[Monroe]

Thanks JorgeA for this information ... so did this breach really happen or is the whole thing a "scam" to make money?

 

This looks more and more shady ... no companies sending their customers alerts to change passwords ... everything has been unusually quiet.

 

I did not see this news posted anywhere myself ... perhaps tomorrow or soon there will be more chatter about what actually did happen.

...

[JorgeA]

You're welcome!

 

I, too, am happy that I found it, as it was basically by sheer chance.

 

Guess only time will tell if the report about 1.2 billion stolen passwords was real news or hype. Maybe somebody else here will have new/more details.

 

--JorgeA

[jaclaz]

 I am now using that program that I mentioned in my last post to make more difficult passwords ... Secure Password Generator. I have been using it since last year for new passwords but just last month I decided to start changing older passwords.

JFYI, discussion about correcthorsebatterystaple and similar :

http://www.forensicfocus.com/Forums/viewtopic/t=10675/

 

BUT, IF the password is actually stolen, it can be as "strong" (or "supposed to be strong") as much as you want, it will still be a stolen password, i.e. it will offer the same security as "Goofy" or "MickeyMouse".

 

jaclaz

[xper]

I was wondering the same thing as JorgeA and agree with him on this issue.

[jaclaz]

https://medium.com/message/everything-is-broken-81e5f33a24e1

 

 

jaclaz

[ZortMcGort11]

I will have to agree with ROTS on this one. I think this entire thing is just a false flag, psyop, or whatever you want to call it. Smoke and mirrors. They have to periodically make some threat up... level orange, no, make that threat-level red. Sorry, you can relax now, it's back to level yellow.

Where's the proof that billions of passwords were stolen? Are we just supposed to take their word for it? Like we're supposed to believe that they actually captured Bin Laden, or that there really were weapons-of-mass-destruction? That last lie cost us thousands of American lives, probably millions of Iraqi lives, and put us trillions of dollars in debt. But corporate profits, bank profits, and oil company profits are at an all-time high.

If it comes from the mainstream media, sorry, I don't believe a single word they say. They have lied by omission enough times, and beaten the war drums in order to spook the american public into sacrificing our liberties, that I have lost all trust in them. (This is also the same government that treats illegal immigrants better than it does war veterans). If I brake the law, I'm thrown in jail. If a non-citizen breaks the law, they get free healthcare and food on the american taxpayer's dime. That is the americans who actually CAN pay taxes because they have jobs, not the 92 million who aren't in the labor force, despite the official unemployment rate which is 6%.

Furthermore, bringing Ebola patients into the US makes everybody one sneeze or cough away from Martial Law and government storm-troopers putting us all on trains to the nearest death camps.

Either this country is run by absolute morons, or else they are purposefully trying to destroy it. Simple as that.

Edited August 14, 2014 by LostInSpace2012

[Kelsenellenelvian]

Ebola is not transmitted by air...

Physical contact and secretions, you think many people are going to be touching that person with bare skin?

Edited August 14, 2014 by Kelsenellenelvian