Russian Hackers Probably Know Your Passwords


Holy crap:

A Russian crime ring has amassed the largest known collection of stolen Internet credentials, including 1.2 billion username and password combinations and more than 500 million email addresses, security researchers say.

The records, discovered by Hold Security, a firm in Milwaukee, include confidential material gathered from 420,000 websites, ranging from household names to small Internet sites….At the request of The New York Times, a security expert not affiliated with Hold Security analyzed the database of stolen credentials and confirmed it was authentic.

So far, says the Times, the Russian hackers are mostly using the information “to send spam on social networks like Twitter at the behest of other groups, collecting fees for their work.” I guess that counts as good news, all things considered, though obviously that could change quickly. Here’s how the Russian gang did it:

They began as amateur spammers in 2011, buying stolen databases of personal information on the black market. But in April, the group accelerated its activity….Since then, the Russian hackers have been able to capture credentials on a mass scale using botnets — networks of zombie computers that have been infected with a computer virus — to do their bidding. Any time an infected user visits a website, criminals command the botnet to test that website to see if it is vulnerable to a well-known hacking technique known as a SQL injection, in which a hacker enters commands that cause a database to produce its contents. If the website proves vulnerable, criminals flag the site and return later to extract the full contents of the database.

“They audited the Internet,” Mr. Holden said. It was not clear, however, how computers were infected with the botnet in the first place.

By July, criminals were able to collect 4.5 billion records — each a username and password — though many overlapped. After sorting through the data, Hold Security found that 1.2 billion of those records were unique. Because people tend to use multiple emails, they filtered further and found that the criminals’ database included about 542 million unique email addresses.

I guess I really should get started on my annual password-changing exercise. Or maybe get a password manager, which I’ve resisted so far for reasons that may not really be that compelling. Or, alternatively, just forget the whole thing except for a very few sites that pose a real threat if hacked. I mean, do I really care if someone gets the password to my LA Times account? What good would it do them? Unfortunately, even on a fairly narrow reading of “real threat,” I come up with nearly a couple dozen sites. That’s still a lot of passwords to change.

THANK YOU.

We recently wrapped up the crowdfunding campaign for our ambitious Mother Jones Corruption Project, and it was a smashing success. About 10,364 readers pitched in with donations averaging $45, and together they contributed about $467,374 toward our $500,000 goal.

That's amazing. We still have donations from letters we sent in the mail coming back to us, so we're on pace to hit—if not exceed—that goal. Thank you so much. We'll keep you posted here as the project ramps up, and you can join the hundreds of readers who have alerted us to corruption to dig into.

We Recommend

Latest

Sign up for our newsletters

Subscribe and we'll send Mother Jones straight to your inbox.

Get our award-winning magazine

Save big on a full year of investigations, ideas, and insights.

Subscribe

Support our journalism

Help Mother Jones' reporters dig deep with a tax-deductible donation.

Donate

Share your feedback: We’re planning to launch a new version of the comments section. Help us test it.