Hackers, Hawkers, And Hacks

A security company claims to have uncovered a ring of Russian hackers that carried out the largest theft of usernames, passwords, and e-mail addresses to date:

Security experts have determined that a crime ring out of Russia has stolen a whooping 1.2 billion username and password combinations. They also got away with 500 million email addresses. To date, this is the single largest theft of login information. Initially, Hold Security, who spotted the breach, thought they were “run-of-the-mill spammers.” But overtime, the gang upped its thievery and went after SQL servers. Alex Holden, chief information security officer at Hold Security, told USA Today that the e-gang used malicious code to infiltrate 420,000 websites, and was then able to steal their databases. Holden found his own login and password information were compromised in this theft.

Technically, the gang could be brought to justice as Hold Security has both the location and names of the criminals. However, Holden believes this won’t occur, “The perpetrators are in Russia so not much can be done. These people are outside the law.”

But Bruce Schneier recommends taking this news with a grain of salt:

As expected, the hype is pretty high over this. But from the beginning, the story didn’t make sense to me. There are obvious details missing:

are the passwords in plaintext or encrypted, what sites are they for, how did they end up with a single criminal gang? The Milwaukee company that pushed this story, Hold Security, isn’t a company that I had ever heard of before. (I was with Howard Schmidt when I first heard this story. He lives in Wisconsin, and he had never heard of the company before either.) The New York Times writes that “a security expert not affiliated with Hold Security analyzed the database of stolen credentials and confirmed it was authentic,” but we’re not given any details. This felt more like a PR story from the company than anything real.

Russell Brandom heaps on the doubt:

The biggest problem, as Forbes‘s Kashmir Hill and The Wall Street Journal‘s Danny Yadron have noted, is that Hold Security is already capitalizing on the panic, charging a $120-per-year subscription to anyone who wants to check if their name and password are on the list. Hold says it’s just trying to recoup expenses, but there’s something unseemly about stoking fears of cybercrime and then asking concerned citizens to pay up. It also gives Hold a clear incentive to lie to reporters about how large and significant the finding is. …

Both Perlroth’s article and Hold Security’s description stop short of saying the group actually stole all 1.2 billion passwords. They just “eventually ended up” with them. We already know the gang started out by buying data from earlier hacks, but it’s remarkably unclear where the bought data ends and the stolen data begins. Many of the passwords could have been old data from someone else’s hack.