Last week, Hold Security, a Milwaukee information security firm, announced that a Russian cyber gang, dubbed “CyberVor”, nabbed over 4.5 billion user records. Of these records, Hold Security estimates that 1.2 billion usernames and passwords, including over 500 million unique email addresses, have been breached. Since the release, some security researchers have expressed doubt about the validity of the breach, but we know that an announcement of this magnitude will not go unnoticed by the industry or regulators. In fact, the Federal Trade Commission on Friday already issued notices to consumers regarding this incident.
To put this in perspective, the Target data breach involved the theft of 110 million records. Unlike Target, the CyberVors accumulated this quantity of credentials by targeting 420,000 sites of all sizes. Hold Security has not publicly identified the affected sites, but Alex Holden, founder and chief information security officer, told the New York Times that “hackers did not just target U.S. companies, they targeted any website they could get, ranging from Fortune 500 companies to very small websites. And most of these sites are still vulnerable.”
The hackers were able to conduct such a massive attack by renting botnet networks through an underground black market. Cybercriminals can rent computers infected with botnets/malware on a large and distributed scale for internet proxies (as was done here), denial of service attacks, SPAM, click through advertising fraud, or other activities. In this case, the CyberVors programmed the botnets –on computers where owners are unaware that their system is being used this way – so that any time an infected user visits a website the botnet tests the site to determine if it is vulnerable to an SQL injection. The New York Times explained that the vulnerable sites were flagged so hackers could “return later to extract the full contents of the database.”
SQL injections are a common programming vulnerability (that can be detected in many instances by code scanning software). This massive hack and credential hoard by CyberVor should be a good reminder that companies must continue to conduct security due diligence on both malware awareness and development security. Companies who want to know whether they have been impacted by this breach may be able to find out by signing on with Hold Security’s breach notification services. If Hold Security discovered a SQL vulnerability that has been exploited on your website, it is in your best interest to clean it up as soon as possible. Both Florida and California recently updated their data breach notification laws to require notification of credentials breaches, so companies will only have more to report if their websites suffer continued exposure.
This breach underscores the need for diligent data security dialogues within companies. This Fall ZwillGen will be offering a Security Bootcamp webinar series that includes sessions on application security and vulnerability management. For more information, follow our blog or contact Amy Mushahwar.
Feature photo by Stiftelsen from Flickr