Stories
Slash Boxes
Comments

SoylentNews is people

posted by Cactus on Thursday February 27 2014, @03:30PM   Printer-friendly
from the uses-same-password-for-everything dept.

c0lo writes:

"Reuters reports that security company Hold Security LLC has uncovered stolen log in credentials from some 360 million online accounts that are available for sale on cyber black markets. Some of the more salient points in the article include:

  • The data was made available over the past three weeks, meaning an unprecedented amount of stolen credentials are available for sale underground.
  • The security firm is unsure where the credentials came from or what they can be used to access; the worst case scenario may include online bank account and private health records.
  • The credentials were stolen in breaches that have yet to be publicly reported. The companies attacked may be unaware for the present.

The same source reports the stash was obtained in multiple breaches, but the log in credentials of 105 million accounts may have been taken in a single attack. If confirmed, this would make the largest single breach to date.

Hold Security LLC is the same company that uncovered the Adobe customer data breach in October 2013."

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 3, Interesting) by The Mighty Buzzard on Thursday February 27 2014, @03:33PM

    by The Mighty Buzzard (18) Subscriber Badge <themightybuzzard@soylentnews.org> on Thursday February 27 2014, @03:33PM (#8002) Homepage Journal
    That number looks familiar. Weren't there ~350 million stolen in the Target hack?
    --
    My rights don't end where your fear begins.
    • (Score: 5, Informative) by Keldrin on Thursday February 27 2014, @03:39PM

      by Keldrin (773) on Thursday February 27 2014, @03:39PM (#8006) Journal

      That was credit card numbers. This article is talking about credentials, which include usernames and passwords for "major providers such as AOL Inc, Google Inc, Microsoft Corp and Yahoo Inc and almost all Fortune 500 companies and nonprofit organizations".

      • (Score: 5, Funny) by snick on Thursday February 27 2014, @03:40PM

        by snick (1408) on Thursday February 27 2014, @03:40PM (#8008)

        That's great news. Now I can get that 3 digit SN uid that I just missed.

        • (Score: 0) by SurvivorZ on Friday February 28 2014, @04:41AM

          by SurvivorZ (792) on Friday February 28 2014, @04:41AM (#8272)

          Meh, I'm perfectly happy with my UID ;-)

        • (Score: 1) by SockPuppet on Friday February 28 2014, @06:26AM

          by SockPuppet (157) on Friday February 28 2014, @06:26AM (#8318)

          Got some rare things on sale, stranger!

          (No, I am not actually for sale.)

      • (Score: 4, Interesting) by frojack on Thursday February 27 2014, @07:52PM

        by frojack (1554) Subscriber Badge on Thursday February 27 2014, @07:52PM (#8098) Journal

        Well, to be fair, the article didn't say what those companies are.

        It did say: :He has not provided any information about the attacks to other cybersecurity firms or authorities but intends to alert the companies involved if his staff can identify them.

        So that's pretty strange, he seems to have discovered some collections usernames and passwords, but he can't or won't tell which sites they belong to, of if there is more than one company involved.

        360 million log-ins is like Population of the United States sized.

        So if it were a single company you are looking at Google or Yahoo or Apple sized companies.

        --
        No, you are mistaken. I've always had this sig.
        • (Score: 2) by Angry Jesus on Thursday February 27 2014, @08:33PM

          by Angry Jesus (182) on Thursday February 27 2014, @08:33PM (#8109)

          So that's pretty strange, he seems to have discovered some collections usernames and passwords, but he can't or won't tell which sites they belong to, of if there is more than one company involved.

          Not so strange. Presumably he has usernames and passwords. Neither are sufficient to identify the site at which those usernames and passwords actually are registered. Given that people often use the same username/password combo at multiple sites, even if he were to surreptitiously test out a few at major sites, that still wouldn't be enough to conclude which sites had been compromised.

          • (Score: 2, Insightful) by Keldrin on Thursday February 27 2014, @09:39PM

            by Keldrin (773) on Thursday February 27 2014, @09:39PM (#8124) Journal

            From TFA: "The massive trove of credentials includes user names, which are typically email addresses, and passwords that in most cases are in unencrypted text."
            So I would say you're correct. Having johndoe@microsoft.com:secretpa$$word will tell you that there is a Microsoft employee with the username johndoe, and if they reuse passwords then secretpa$$word may work for an account within Microsoft, but it doesn't mean that Microsoft is what was broken into. Maybe by "companies involved" they mean telling Microsoft that the johndoe account may be at risk, even though the leak came from some random video site or something that got hacked.

            • (Score: 0) by SurvivorZ on Friday February 28 2014, @04:44AM

              by SurvivorZ (792) on Friday February 28 2014, @04:44AM (#8277)

              It's obviously that Chinese Facebook site… Or the *real* Facebook, even better.

              [Testing to see if SN.org supports UTF-8 ellipsis, unlike a similar site that shalln't be named. [Nope ;(( It's 2014, for crying out loud ;(]

    • (Score: 5, Funny) by mrwizrd on Thursday February 27 2014, @03:42PM

      by mrwizrd (2299) on Thursday February 27 2014, @03:42PM (#8009)

      HS: We found lots of stolen cridentials!

      Where from?

      HS: We don't know!

      What services are they for?

      HS: We don't know! But there are a lot of passwords here! This is a big deal and you should be concerned and remember our name!

      Have you informed anyone?

      HS: No. Well, except for one e-mail provider. But we can't tell you who! In fact, we're not going to give you any useful information.

      Thanks for the press release, Hold Security.

      • (Score: 5, Funny) by c0lo on Thursday February 27 2014, @03:56PM

        by c0lo (156) on Thursday February 27 2014, @03:56PM (#8021) Journal

        Thanks for the press release, Hold Security.

        Given that high number, maybe is wise to change the passwords for services critical to you .. I don't know, at least soylentnews?
        Just to be on the safish side, but with no warranties those guys won't breach again.

        --
        https://www.youtube.com/watch?v=aoFiw2jMy-0
  • (Score: 5, Interesting) by caseih on Thursday February 27 2014, @03:45PM

    by caseih (2744) on Thursday February 27 2014, @03:45PM (#8012)

    I wonder if there's a way to find out if any of my login credentials are in that list. Would be kind of nice if they had a way that we could search just for my login name's presence in the list.

    I used to google for a some of the digits of my credit card time or ssn to see if they existed out there in some document. Never have found anything that way.

    • (Score: 5, Informative) by mrwizrd on Thursday February 27 2014, @03:49PM

      by mrwizrd (2299) on Thursday February 27 2014, @03:49PM (#8014)

      You might check https://haveibeenpwned.com/ [haveibeenpwned.com].

      • (Score: 3, Interesting) by swisskid on Thursday February 27 2014, @04:59PM

        by swisskid (803) on Thursday February 27 2014, @04:59PM (#8045)

        This is cool, but I wonder how my account that I created in 2013 on Gawker got pwned in the 2010 hack.

      • (Score: 1) by ikanreed on Thursday February 27 2014, @05:31PM

        by ikanreed (3164) on Thursday February 27 2014, @05:31PM (#8062) Journal

        This is the most useful website ever.

      • (Score: 5, Informative) by captain normal on Thursday February 27 2014, @07:25PM

        by captain normal (2205) on Thursday February 27 2014, @07:25PM (#8092)

        Sure...Like I'm going to just enter my user-name for all my email and other accounts into a field in some random site.

        --
        “I have not failed. I’ve just found 10,000 ways that won’t work.” Thomas Edison
      • (Score: 0) by Anonymous Coward on Friday February 28 2014, @06:34AM

        by Anonymous Coward on Friday February 28 2014, @06:34AM (#8324)

        Of course I have. The best part about it is that when the NSA comes to drag me away, I can claim it was just a hacker in China.

    • (Score: 5, Funny) by Katastic on Thursday February 27 2014, @04:03PM

      by Katastic (3340) on Thursday February 27 2014, @04:03PM (#8029)

      >I wonder if there's a way to find out if any of my login credentials are in that list.

      Easy. Just type it here and I'll check. Don't worry, your password will just show up as ******* to us.

      • (Score: 5, Funny) by snick on Thursday February 27 2014, @04:45PM

        by snick (1408) on Thursday February 27 2014, @04:45PM (#8041)

        Oh great. How did you guess that my password is "*******" ?

      • (Score: 5, Funny) by olorin1 on Thursday February 27 2014, @05:16PM

        by olorin1 (2432) on Thursday February 27 2014, @05:16PM (#8054)

        Let's give this a shot: hunter1

      • (Score: 5, Funny) by marcello_dl on Thursday February 27 2014, @06:12PM

        by marcello_dl (2685) on Thursday February 27 2014, @06:12PM (#8073)

        My password IS "*******", you insensitive clod!

      • (Score: 3, Funny) by FuckBeta on Thursday February 27 2014, @07:32PM

        by FuckBeta (1504) on Thursday February 27 2014, @07:32PM (#8093) Homepage

        hunter2

        --
        Quit Slashdot...because Fuck Beta!
    • (Score: 5, Funny) by paddym on Thursday February 27 2014, @04:28PM

      by paddym (196) on Thursday February 27 2014, @04:28PM (#8035)

      No problem sir. Just input your username/password/website into this dialog and we can see if it matches any of the 360 million hashes we have on file. Ok, just wait a few minutes. Don't hit the back button, or check any of your pertinent accounts. We will be finishing our analysis in just a few minutes. Unfortunately, it appears your website is a match, and most of your data has been stolen. Fortunately, you can just pay $xxx to reinstate your account and have your password reset. Now you can feel confident that no one has access to your account. Like us on facebook and write a yelp review about your experience.

  • (Score: 5, Interesting) by Anonymous Coward on Thursday February 27 2014, @03:50PM

    by Anonymous Coward on Thursday February 27 2014, @03:50PM (#8016)

    Companies need to be held criminally responsible for data breaches like these. Designers / administrators who sign off on systems that lose customer data should be personally fined or reprimanded by their professional organizations.

    If customer data is a) stolen, and b) not encrypted / salted / etc., then someone was negligent. The web is no longer the wild west; computer security is no longer an academic concern.

    • (Score: 5, Funny) by c0lo on Thursday February 27 2014, @04:02PM

      by c0lo (156) on Thursday February 27 2014, @04:02PM (#8027) Journal

      The web is no longer the wild west

      Believe me, is far more than the wild west.
      Want a proof? I can guarantee they didn't have as many individual hookers as there are pr0n sites today.

      --
      https://www.youtube.com/watch?v=aoFiw2jMy-0
    • (Score: 1) by SuperCharlie on Thursday February 27 2014, @05:15PM

      by SuperCharlie (2939) on Thursday February 27 2014, @05:15PM (#8051)

      My tinfoil hat tells me it is more likely that undisclosed vulnerabilities are used at this scale than sloppy coding/security. The kind that sell on the black market and are hoarded by "other" entities.

      • (Score: 4, Funny) by bd on Thursday February 27 2014, @06:14PM

        by bd (2773) on Thursday February 27 2014, @06:14PM (#8074)

        My tinfoil hat tells me it is more likely that undisclosed vulnerabilities are used at this scale

        Confused here... I thought the hat was intended to make the voices go away?!

    • (Score: 5, Interesting) by Buck Feta on Thursday February 27 2014, @05:33PM

      by Buck Feta (958) on Thursday February 27 2014, @05:33PM (#8063) Journal
      > Designers / administrators who sign off on systems

      Who would ever take one of these jobs then?
      --
      - fractious political commentary goes here -
      • (Score: 5, Interesting) by SMI on Thursday February 27 2014, @05:40PM

        by SMI (333) on Thursday February 27 2014, @05:40PM (#8067)

        Yeah, really. Eventually the omniscient upper-management, who are responsible for oversight, ought to have to be held accountable. Not any time soon, obviously, but eventually!

      • (Score: 0) by Anonymous Coward on Friday February 28 2014, @12:50AM

        by Anonymous Coward on Friday February 28 2014, @12:50AM (#8184)

        Not like they usually get to sign off on systems themselves. They're more likely to be told to stuff their paranoia, and just get things done.

  • (Score: 1) by paddym on Thursday February 27 2014, @04:31PM

    by paddym (196) on Thursday February 27 2014, @04:31PM (#8037)

    Alex Holden? Heather "Bear"field? Wade Baker? Are we sure this isn't a bunch of fictional phonies out to phony up our phony world?

  • (Score: 4, Funny) by denmarkw00t on Thursday February 27 2014, @04:41PM

    by denmarkw00t (2877) on Thursday February 27 2014, @04:41PM (#8040)

    private heath records.

    Dammit - my receipts! Everyone will know my penchant for toffee and chocolate!

    --
    buck feta
    • (Score: 1) by Statecraftsman on Thursday February 27 2014, @05:23PM

      by Statecraftsman (1149) on Thursday February 27 2014, @05:23PM (#8058)

      Cash. Pay with cash in person, check for security cameras, and do your trades inside parking garages.

    • (Score: 1) by bearhouse on Thursday February 27 2014, @06:46PM

      by bearhouse (2237) on Thursday February 27 2014, @06:46PM (#8078)

      Thought everyone here liked beer and hookers?

      • (Score: 3, Informative) by dougisfunny on Thursday February 27 2014, @09:55PM

        by dougisfunny (3458) on Thursday February 27 2014, @09:55PM (#8135)

        I thought it was 'hookers and blow' or 'blackjack and hookers'

    • (Score: 0) by Anonymous Coward on Friday February 28 2014, @12:22PM

      by Anonymous Coward on Friday February 28 2014, @12:22PM (#8439)

      Heath, Noun (countable and uncountable, plural heaths)

              1. Any small evergreen shrub of the genus Erica.

              2. A tract of level uncultivated land with sandy soil and scrubby vegetation; heathland.

      -- https://en.wiktionary.org/wiki/heath [wiktionary.org]

      I personally enjoy my toffee without evergreen shrubs.

  • (Score: 5, Funny) by skullz on Thursday February 27 2014, @07:07PM

    by skullz (2532) on Thursday February 27 2014, @07:07PM (#8087)

    I was having a heck of a time getting my password reset and was tired of being put on hold. Now I can just look it up!

    Thanks, h4x0rz!

  • (Score: 1) by Fuzzums on Friday February 28 2014, @02:32PM

    by Fuzzums (2009) on Friday February 28 2014, @02:32PM (#8508)

    Nice thing is that it was probably an older server, containing outdated data, that was hacked here.
    The email addresses are now used in the Ukraine by spammers / scammers.

    Single purpose email addresses: so practical and traceable.