Russian Hackers Probably Know Your Passwords


Holy crap:

A Russian crime ring has amassed the largest known collection of stolen Internet credentials, including 1.2 billion username and password combinations and more than 500 million email addresses, security researchers say.

The records, discovered by Hold Security, a firm in Milwaukee, include confidential material gathered from 420,000 websites, ranging from household names to small Internet sites….At the request of The New York Times, a security expert not affiliated with Hold Security analyzed the database of stolen credentials and confirmed it was authentic.

So far, says the Times, the Russian hackers are mostly using the information “to send spam on social networks like Twitter at the behest of other groups, collecting fees for their work.” I guess that counts as good news, all things considered, though obviously that could change quickly. Here’s how the Russian gang did it:

They began as amateur spammers in 2011, buying stolen databases of personal information on the black market. But in April, the group accelerated its activity….Since then, the Russian hackers have been able to capture credentials on a mass scale using botnets — networks of zombie computers that have been infected with a computer virus — to do their bidding. Any time an infected user visits a website, criminals command the botnet to test that website to see if it is vulnerable to a well-known hacking technique known as a SQL injection, in which a hacker enters commands that cause a database to produce its contents. If the website proves vulnerable, criminals flag the site and return later to extract the full contents of the database.

“They audited the Internet,” Mr. Holden said. It was not clear, however, how computers were infected with the botnet in the first place.

By July, criminals were able to collect 4.5 billion records — each a username and password — though many overlapped. After sorting through the data, Hold Security found that 1.2 billion of those records were unique. Because people tend to use multiple emails, they filtered further and found that the criminals’ database included about 542 million unique email addresses.

I guess I really should get started on my annual password-changing exercise. Or maybe get a password manager, which I’ve resisted so far for reasons that may not really be that compelling. Or, alternatively, just forget the whole thing except for a very few sites that pose a real threat if hacked. I mean, do I really care if someone gets the password to my LA Times account? What good would it do them? Unfortunately, even on a fairly narrow reading of “real threat,” I come up with nearly a couple dozen sites. That’s still a lot of passwords to change.

A BETTER WAY TO DO THIS?

We have an ambitious $350,000 online fundraising goal this month and we can't afford to come up short. But when a reader recently asked how being a nonprofit makes Mother Jones different from other news organizations, we realized we needed to lay this out better: Because "in absolutely every way" is essentially the answer.

So we tried to explain why your year-end donations are so essential, and we'd like your help refining our pitch about what make Mother Jones valuable and worth reading to you.

We'd also like your support of our journalism with a year-end donation if you can right now—all online gifts will be doubled until we hit our $350,000 goal thanks to an incredibly generous donor's matching gift pledge.

payment methods

A BETTER WAY TO DO THIS?

We have an ambitious $350,000 online fundraising goal this month and we can't afford to come up short. But when a reader recently asked how being a nonprofit makes Mother Jones different from other news organizations, we realized we needed to lay this out better: Because "in absolutely every way" is essentially the answer.

So we tried to explain why your year-end donations are so essential, and we'd like your help refining our pitch about what make Mother Jones valuable and worth reading to you.

We'd also like your support of our journalism with a year-end donation if you can right now—all online gifts will be doubled until we hit our $350,000 goal thanks to an incredibly generous donor's matching gift pledge.

payment methods

We Recommend

Latest

Sign up for our free newsletter

Subscribe to the Mother Jones Daily to have our top stories delivered directly to your inbox.

Get our award-winning magazine

Save big on a full year of investigations, ideas, and insights.

Subscribe

Support our journalism

Help Mother Jones' reporters dig deep with a tax-deductible donation.

Donate