The New York Times reports:
A Russian crime ring has amassed the largest known collection of stolen Internet credentials, including 1.2 billion username and password combinations and more than 500 million email addresses, security researchers say.
The records, discovered by Hold Security, a firm in Milwaukee, include confidential material gathered from 420,000 websites, ranging from household names to small Internet sites. Hold Security has a history of uncovering significant hacks, including the theft last year of tens of millions of records from Adobe Systems.
This discussion has been archived.
No new comments can be posted.
Russian Gang Amasses Over a Billion Internet Passwords
|
Log In/Create an Account
| Top
| 9 comments
| Search Discussion
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(Score: 3, Insightful) by The Mighty Buzzard on Wednesday August 06 2014, @11:47AM
The article was unclear on whether the gang had a password for each username or a salted+hashed and/or encrypted password. This distinction would be fairly important. I'd feel quite secure giving them a copy of my /etc/shadow as they're not going to have a rainbow table for sha512 that extends to salted 30+ character passwords.
My rights don't end where your fear begins.
(Score: 3, Insightful) by mtrycz on Wednesday August 06 2014, @12:18PM
TFS states that the credentials are coming from 400k+ different small-to-medium websites, so I'd expect that a significant portion of those didn't have a budget for security or enough know-how or just didn't care enough to salt the passwords.
Sure most of them are probably sites built with some of the many frameworks, that already have a reasonable policy built-it, but how much out of 400k would you expect not to have it? I'd expect many.
In capitalist America, ads view YOU!
(Score: 3, Insightful) by captain normal on Wednesday August 06 2014, @04:47PM
And this just begs the question, why do so many sites require/ask for user names and passwords for no real reason? If I look at a site one time seeking information, why are they wanting me to register?
Everyone is entitled to his own opinion, but not to his own facts"- --Daniel Patrick Moynihan--
(Score: 2) by RaffArundel on Wednesday August 06 2014, @06:45PM
Also it doesn't address how old these actually are. I read in the various reports making the rounds today that some of these are old and previously shared publicly, with many dupe user/pass/email combinations. For all we know, they could be collecting/buying all the different lists and the flaws have already been disclosed (and hopefully fixed) which is WAY different than another heartbleed-type issue being out in the wild.
I guess my bigger problem is how this is unfolding. An NDA is preventing him from telling us how bad the issue is? NDA with whom? Is it a single pervasive flaw or a current organized effort to exploit multiple flaws?
(Score: 2, Funny) by Justin Case on Wednesday August 06 2014, @12:08PM
I have a script that will generate ALL passwords! I'd post the file here to prove it but the script is still running and my hard drive keeps crashing. :(
(Score: 2) by Blackmoore on Wednesday August 06 2014, @02:47PM
also reported at Ars Technica;
http://arstechnica.com/security/2014/08/report-shadowy-russian-hacker-group-now-has-1-2b-usernames-passwords/ [arstechnica.com]
“Hackers did not just target U.S. companies, they targeted any website they could get, ranging from Fortune 500 companies to very small websites,†Alex Holden, the founder and chief information security officer of Hold Security, told The Times. “And most of these sites are still vulnerable.â€
(Score: 4, Insightful) by Dunbal on Wednesday August 06 2014, @02:49PM
All your base are belong to us.
And you thought we were kidding.
(Score: 1, Informative) by Anonymous Coward on Wednesday August 06 2014, @06:49PM
Never trust the NYT. The security vendor is trying to get subscriptions for their so-called identity theft protection service. See
http://www.washingtonpost.com/news/morning-mix/wp/2014/08/06/russian-hackers-steal-a-billion-passwords-security-firm-seizes-opportunity/ [washingtonpost.com]
(Score: 3, Funny) by DECbot on Wednesday August 06 2014, @11:03PM
So, I take it that the NSA's database goes by the pseudonym of 'Russian Gang' now?
cats~$ sudo chown -R us /home/base