Yesterday a small Milwaukee security company of which you have probably never heard broke the news that a group of nameless twentysomething Russian hackers had acquired a collection of 1.2 billion username/password combinations, the largest such collection in history.
The internet, understandably, lost its shit entirely.
The statistics quoted by Hold Security were shocking: 1.2 billion is approximately the population of China, after all. That number represents about half of all internet users. Half of all internet users.
The CyberVor gang amassed over 4.5 billion records, mostly consisting of stolen credentials. 1.2 billion of these credentials appear to be unique, belonging to over half a billion e-mail addresses. To get such an impressive number of credentials, the CyberVors robbed over 420,000 web and FTP sites.
How can 4.5 billion records translate into 1.2 billion password/username combos? Well, a lot of people use the same passwords in multiple sites. A lot of dumb people. As well, and increasingly in our super-integrated world, large companies gobble up the small, forcing the small to use their own patented log-in system. Remember when YouTube was bought by Google and suddenly your Gmail account and your YouTube account were the same? When Yahoo bought Flickr and made you log in with your Yahoo ID instead of your unique Flickr ID? Yeah, that. Consolidation is responsible for a lot of those duplications, as the hackers collect your credentials from Gmail, Youtube, Flickr and Yahoo, resulting in four records and only two credentials (assuming you didn’t use the same username/pass at Gmail AND Yahoo, but you wouldn’t do that, right? RIGHT?). Same deal every Yahoo site they hit where you have a log in; a new record, but not a new credential.
Who is the CyberVor gang?
The term was coined by Alex Holden of Hold Security: it comes from the Russian “Vor,” for “thief.” And from the term “Cyber” for “media appeal.” The group, according to Holden, are fewer than a dozen men, real life friends and co-workers in this very much for-profit industry, and all are in their twenties. They hail from an unspecified, medium-sized city in south-central Russia between Kazakhstan and Mongolia. And they have been in this business only since 2011.
How did they get so many credentials?
Two ways: The first is the easiest; they collected them. Data dumps of this nature are the lifeblood of the dark web, where they are bought, sold, and rented on black hat forums. The CyberVor gang are the cyber equivalent of hoarders, collecting credentials as they went along. Since 2011, when they went into business, they’ve been using them for spam purposes, and making a decent living, apparently.
The second way was far more ambitious. Using a botnet, they probed much of the public face of the internet, looking for site vulnerabilities, which they collected. They essentially conducted the largest security audit in history, as Holden pointed out in his blog post. They didn’t then send the results to the companies with suggestions to fix them, like a grey hat hacker would have. After they’d found all the vulnerabilities (some known to other hackers and exploited, others unique) they attacked the sites, usually with an SQL injection. That attack forces a site to give up its databases, including user/password combos.
By collecting the weaknesses first and then attacking all the identified targets, they decreased the likelihood the word would get around the security industry and companies would tighten up, removing the weaknesses. Essentially, they did a huge recon and then struck hard, everywhere, all at once.
And the victims didn’t even know it had happened.
Holden says that the targeted websites were of all sizes, from the tiniest blog to the largest Fortune 500 website. It didn’t matter. Like the fast food joke goes, “It’s all parts.” In April the group apparently vastly accellerated their activities, and according to the New York Times, which broke the story to the mainstream, it was likely because they teamed up with another, as yet unidentified, group to share resources.
Holden is keeping the list of victims under his hat for now, doubtless because some are his clients and would just as soon not be publicly embarrassed in the fashion that Target, PFChang’s, and other recent hacking victims have been.
Why were these sites hacked? What is the ultimate point?
The short answer is: Money.
The long answer is: Money, in the form of various spam revenue streams. Spam makes money from the fish that click on the spam and send money, it makes money from the hackers who sell lists of compromised email accounts you can use to send spam from. In this case it doesn’t appear that the hackers attempted to extort the websites for “protection” money, but they could have.
Who is Alex Holden?
Holden is the proprietor of Hold Security, and because he is not a household name in the security industry, and because he is keeping some details of the hack to himself and his clients, many people are questioning the entire CyberVor scenario.
Ok… heres the kicker… 1.2 billion u/p stolen. This is truly epic. Here’s the problem. These companies that got jacked have to worry about legalities. They are either very confident there will not be a class action lawsuit, they are covering something up, or it’s bullshit. 1.2 billion is the population of China… and that’s no small number. A class action lawsuit would be ginormous. I don’t see this splattered every where … you’d think they would ask people to change passwords and what-not on next log in, etc. None of that. Maybe they are going to try to cover it up? Its pretty hard to bury something that large in spite of the Target fiasco.
This leads me to think of the last option. It’s bull … how many people saw this and said “damn I’m gonna change all my passwords” or “I should be safe?” Moreover, what is the complacency level? How many people just say “fuck it, its just another hack and that’s just how it is?” It’s a great social experiment. What happens if this global level attack happens and people aren’t given information? This IS being reported by a US security firm. Maybe they want to know how people react. I’m not saying it is that way but no one has brought it up. In spite of all the social hacks on Facebook, maybe this is the next level?
It’s an intriguing idea: that this is all just a big fake-out by The Powers That Be, to see how civilians react to a cyber-threat of this nature. And the questions are pervasive enough that prominent spam/hacker reporter Brian Krebs, who literally wrote the book on spam, felt it necessary to come to the defense of Holden.
I’ve known Hold Security’s Founder Alex Holden for nearly seven years. Alex is a talented and tireless researcher, as well as a forthright and honest guy. His research has been central to several of my big scoops over the past year, including the breach at Adobe that exposed tens of millions of customer records. Alex isn’t keen on disclosing his methods, but I have seen his research and data firsthand and can say it’s definitely for real. Without spilling his secrets or methods, it is clear that he has a first-hand view on the day-to-day activities of some very active organized cybercrime networks and actors.
What should we do now?
Change your passwords. Your email passwords, your website passwords, your Yahoo passwords, your Google passwords, all of it. Clearly the companies involved have not alerted the actual victims, who would be you and people like you. You can’t wait for them to tell you (Target knew it had been hacked weeks before the public found out, and sat on the information, and those were credit card details!). Assume you are on the internet and you have therefore been hacked; those are the odds. So make a habit of changing your passwords regularly. Some people tie it to Spring Cleaning. Some people tie it to the close of a financial quarter. Whatever. Change your passwords, and make them different, and make them LONG.
A long password is a better protection than any variety of clever short password. Just promise me you won’t use any proper nouns from Lord of the Rings.
Depending on how activist you are feeling today, you can also contact the sites you have registered on and ask them if they have been part of the hack. If you’re really activist, and you find out that a company withheld this information from you, you can join in a class action suit, on the basis that they were entrusted with your data, failed to secure it reasonably, and hid that information from you. Increasingly, such suits are meeting with success in courts.
Ironically, one of the reasons they are successful is that the companies have taken hackers to court over costs incurred from hacks. If companies are holding hackers financially accountable for hacks, then why wouldn’t activists and customers hold companies accountable for getting hacked? Companies who have been or are being sued over this include Target, EBay, and Sony.
As for who got hacked by CyberVor, well, time will tell. Because Alex Holden won’t.
Featured Ninja Hacker image by Brian Klug on Flickr