Stories
Slash Boxes
Comments

SoylentNews is people

posted by Cactus on Thursday February 27 2014, @03:30PM   Printer-friendly
from the uses-same-password-for-everything dept.

c0lo writes:

"Reuters reports that security company Hold Security LLC has uncovered stolen log in credentials from some 360 million online accounts that are available for sale on cyber black markets. Some of the more salient points in the article include:

  • The data was made available over the past three weeks, meaning an unprecedented amount of stolen credentials are available for sale underground.
  • The security firm is unsure where the credentials came from or what they can be used to access; the worst case scenario may include online bank account and private health records.
  • The credentials were stolen in breaches that have yet to be publicly reported. The companies attacked may be unaware for the present.

The same source reports the stash was obtained in multiple breaches, but the log in credentials of 105 million accounts may have been taken in a single attack. If confirmed, this would make the largest single breach to date.

Hold Security LLC is the same company that uncovered the Adobe customer data breach in October 2013."

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 3, Interesting) by The Mighty Buzzard on Thursday February 27 2014, @03:33PM

    by The Mighty Buzzard (18) Subscriber Badge <themightybuzzard@proton.me> on Thursday February 27 2014, @03:33PM (#8002) Homepage Journal
    That number looks familiar. Weren't there ~350 million stolen in the Target hack?
    --
    My rights don't end where your fear begins.
    Starting Score:    1  point
    Moderation   +2  
       Interesting=2, Informative=1, Overrated=1, Total=4
    Extra 'Interesting' Modifier   0  

    Total Score:   3  
  • (Score: 5, Informative) by Keldrin on Thursday February 27 2014, @03:39PM

    by Keldrin (773) on Thursday February 27 2014, @03:39PM (#8006) Journal

    That was credit card numbers. This article is talking about credentials, which include usernames and passwords for "major providers such as AOL Inc, Google Inc, Microsoft Corp and Yahoo Inc and almost all Fortune 500 companies and nonprofit organizations".

    • (Score: 5, Funny) by snick on Thursday February 27 2014, @03:40PM

      by snick (1408) on Thursday February 27 2014, @03:40PM (#8008)

      That's great news. Now I can get that 3 digit SN uid that I just missed.

      • (Score: 0) by SurvivorZ on Friday February 28 2014, @04:41AM

        by SurvivorZ (792) on Friday February 28 2014, @04:41AM (#8272)

        Meh, I'm perfectly happy with my UID ;-)

      • (Score: 1) by SockPuppet on Friday February 28 2014, @06:26AM

        by SockPuppet (157) on Friday February 28 2014, @06:26AM (#8318)

        Got some rare things on sale, stranger!

        (No, I am not actually for sale.)

    • (Score: 4, Interesting) by frojack on Thursday February 27 2014, @07:52PM

      by frojack (1554) on Thursday February 27 2014, @07:52PM (#8098) Journal

      Well, to be fair, the article didn't say what those companies are.

      It did say: :He has not provided any information about the attacks to other cybersecurity firms or authorities but intends to alert the companies involved if his staff can identify them.

      So that's pretty strange, he seems to have discovered some collections usernames and passwords, but he can't or won't tell which sites they belong to, of if there is more than one company involved.

      360 million log-ins is like Population of the United States sized.

      So if it were a single company you are looking at Google or Yahoo or Apple sized companies.

      --
      No, you are mistaken. I've always had this sig.
      • (Score: 2) by Angry Jesus on Thursday February 27 2014, @08:33PM

        by Angry Jesus (182) on Thursday February 27 2014, @08:33PM (#8109)

        So that's pretty strange, he seems to have discovered some collections usernames and passwords, but he can't or won't tell which sites they belong to, of if there is more than one company involved.

        Not so strange. Presumably he has usernames and passwords. Neither are sufficient to identify the site at which those usernames and passwords actually are registered. Given that people often use the same username/password combo at multiple sites, even if he were to surreptitiously test out a few at major sites, that still wouldn't be enough to conclude which sites had been compromised.

        • (Score: 2, Insightful) by Keldrin on Thursday February 27 2014, @09:39PM

          by Keldrin (773) on Thursday February 27 2014, @09:39PM (#8124) Journal

          From TFA: "The massive trove of credentials includes user names, which are typically email addresses, and passwords that in most cases are in unencrypted text."
          So I would say you're correct. Having johndoe@microsoft.com:secretpa$$word will tell you that there is a Microsoft employee with the username johndoe, and if they reuse passwords then secretpa$$word may work for an account within Microsoft, but it doesn't mean that Microsoft is what was broken into. Maybe by "companies involved" they mean telling Microsoft that the johndoe account may be at risk, even though the leak came from some random video site or something that got hacked.

          • (Score: 0) by SurvivorZ on Friday February 28 2014, @04:44AM

            by SurvivorZ (792) on Friday February 28 2014, @04:44AM (#8277)

            It's obviously that Chinese Facebook site… Or the *real* Facebook, even better.

            [Testing to see if SN.org supports UTF-8 ellipsis, unlike a similar site that shalln't be named. [Nope ;(( It's 2014, for crying out loud ;(]

  • (Score: 5, Funny) by mrwizrd on Thursday February 27 2014, @03:42PM

    by mrwizrd (2299) on Thursday February 27 2014, @03:42PM (#8009)

    HS: We found lots of stolen cridentials!

    Where from?

    HS: We don't know!

    What services are they for?

    HS: We don't know! But there are a lot of passwords here! This is a big deal and you should be concerned and remember our name!

    Have you informed anyone?

    HS: No. Well, except for one e-mail provider. But we can't tell you who! In fact, we're not going to give you any useful information.

    Thanks for the press release, Hold Security.

    • (Score: 5, Funny) by c0lo on Thursday February 27 2014, @03:56PM

      by c0lo (156) Subscriber Badge on Thursday February 27 2014, @03:56PM (#8021) Journal

      Thanks for the press release, Hold Security.

      Given that high number, maybe is wise to change the passwords for services critical to you .. I don't know, at least soylentnews?
      Just to be on the safish side, but with no warranties those guys won't breach again.

      --
      https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford