Stories
Slash Boxes
Comments

SoylentNews is people

posted by Cactus on Thursday February 27 2014, @03:30PM   Printer-friendly
from the uses-same-password-for-everything dept.

c0lo writes:

"Reuters reports that security company Hold Security LLC has uncovered stolen log in credentials from some 360 million online accounts that are available for sale on cyber black markets. Some of the more salient points in the article include:

  • The data was made available over the past three weeks, meaning an unprecedented amount of stolen credentials are available for sale underground.
  • The security firm is unsure where the credentials came from or what they can be used to access; the worst case scenario may include online bank account and private health records.
  • The credentials were stolen in breaches that have yet to be publicly reported. The companies attacked may be unaware for the present.

The same source reports the stash was obtained in multiple breaches, but the log in credentials of 105 million accounts may have been taken in a single attack. If confirmed, this would make the largest single breach to date.

Hold Security LLC is the same company that uncovered the Adobe customer data breach in October 2013."

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by Angry Jesus on Thursday February 27 2014, @08:33PM

    by Angry Jesus (182) on Thursday February 27 2014, @08:33PM (#8109)

    So that's pretty strange, he seems to have discovered some collections usernames and passwords, but he can't or won't tell which sites they belong to, of if there is more than one company involved.

    Not so strange. Presumably he has usernames and passwords. Neither are sufficient to identify the site at which those usernames and passwords actually are registered. Given that people often use the same username/password combo at multiple sites, even if he were to surreptitiously test out a few at major sites, that still wouldn't be enough to conclude which sites had been compromised.

    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2  
  • (Score: 2, Insightful) by Keldrin on Thursday February 27 2014, @09:39PM

    by Keldrin (773) on Thursday February 27 2014, @09:39PM (#8124) Journal

    From TFA: "The massive trove of credentials includes user names, which are typically email addresses, and passwords that in most cases are in unencrypted text."
    So I would say you're correct. Having johndoe@microsoft.com:secretpa$$word will tell you that there is a Microsoft employee with the username johndoe, and if they reuse passwords then secretpa$$word may work for an account within Microsoft, but it doesn't mean that Microsoft is what was broken into. Maybe by "companies involved" they mean telling Microsoft that the johndoe account may be at risk, even though the leak came from some random video site or something that got hacked.

    • (Score: 0) by SurvivorZ on Friday February 28 2014, @04:44AM

      by SurvivorZ (792) on Friday February 28 2014, @04:44AM (#8277)

      It's obviously that Chinese Facebook site… Or the *real* Facebook, even better.

      [Testing to see if SN.org supports UTF-8 ellipsis, unlike a similar site that shalln't be named. [Nope ;(( It's 2014, for crying out loud ;(]