Russian criminals have stolen 1.2 billion Internet user
names and passwords, amassing what could be the
largest collection of stolen digital credentials in history, a
respected security firm said Tuesday.
There's no need to panic at this point -- Hold Security, the firm that
discovered the theft, says the gang isn't in the business of stealing
your bank account information. Instead, they make their money by
sending out spam for bogus products like weight-loss pills.
The Milwaukee-based firm, didn't reveal the identities of the targeted
websites, citing nondisclosure agreements and a desire to prevent
existing vulnerabilities from being more widely exploited.
Hold Security founder Alex Holden told CNNMoney that the trove
includes credentials gathered from over 420,000 websites -- both
smaller sites as well as "household names." The criminals didn't
breach any major email providers, he said.
A credential pair consists of a user name -- often an email address --
plus a password. There are roughly half a billion email addresses in
the gang's collection, Hold Security says.
Holden said the gang makes its money by hacking into email and
social accounts, posing as trusted friends and family and advertising
bogus products. That means that if you see strange messages being
sent from your email or social media accounts, you might be among
those affected.
"It's really not that impactful to the individuals, and that's why they
were under the radar for so long," Holden said. "They've ignored
financial information almost completely."
The criminals began collecting user data a few years ago by simply
buying it on the black market. Their stash has grown significantly this
year thanks to their use of an automated program that trawls the
Internet to find vulnerabilities on websites, Holden said.
The reported theft dwarfs the one revealed last year by discount
retailer Target ( ), which admitted in December that hackers had
stolen credit- and debit-card data from 40 million accounts.
Hackers from Russia and Eastern Europe are known for launching
sophisticated cyberattacks for financial gain. Beyond spam, organized
crime syndicates in the region have engaged in more sophisticated
activities like corporate espionage and the theft of credit-card details.
The extent of the theft shows people need to better manage their
credentials, cybersecurity experts say. Most people keep the same
password for multiple services, such as banking, email and social
media accounts. That allows hackers to turn a single password
database into a treasure trove.
One simple way to stem the damage is to use two-factor
authentication whenever possible to sign into online services, said
Eric Cowperthwaite, an executive at network security provider Core
Security. This method requires you to enter a second password,
usually generated by your smartphone, upon login.
Jay Kaplan, CEO of cybersecurity firm Synack, criticized the companies
involved for not being alert enough about their own security.
"It's likely that most of them do not even realize how many times
they've been compromised," he said.
http://money.cnn.com/2014/08/05/technology/security/russian-hackers-theft/index.html?iid=TL_Popular

[how did they do it][/sup]