Russian Hackers Probably Know Your Passwords


Holy crap:

A Russian crime ring has amassed the largest known collection of stolen Internet credentials, including 1.2 billion username and password combinations and more than 500 million email addresses, security researchers say.

The records, discovered by Hold Security, a firm in Milwaukee, include confidential material gathered from 420,000 websites, ranging from household names to small Internet sites….At the request of The New York Times, a security expert not affiliated with Hold Security analyzed the database of stolen credentials and confirmed it was authentic.

So far, says the Times, the Russian hackers are mostly using the information “to send spam on social networks like Twitter at the behest of other groups, collecting fees for their work.” I guess that counts as good news, all things considered, though obviously that could change quickly. Here’s how the Russian gang did it:

They began as amateur spammers in 2011, buying stolen databases of personal information on the black market. But in April, the group accelerated its activity….Since then, the Russian hackers have been able to capture credentials on a mass scale using botnets — networks of zombie computers that have been infected with a computer virus — to do their bidding. Any time an infected user visits a website, criminals command the botnet to test that website to see if it is vulnerable to a well-known hacking technique known as a SQL injection, in which a hacker enters commands that cause a database to produce its contents. If the website proves vulnerable, criminals flag the site and return later to extract the full contents of the database.

“They audited the Internet,” Mr. Holden said. It was not clear, however, how computers were infected with the botnet in the first place.

By July, criminals were able to collect 4.5 billion records — each a username and password — though many overlapped. After sorting through the data, Hold Security found that 1.2 billion of those records were unique. Because people tend to use multiple emails, they filtered further and found that the criminals’ database included about 542 million unique email addresses.

I guess I really should get started on my annual password-changing exercise. Or maybe get a password manager, which I’ve resisted so far for reasons that may not really be that compelling. Or, alternatively, just forget the whole thing except for a very few sites that pose a real threat if hacked. I mean, do I really care if someone gets the password to my LA Times account? What good would it do them? Unfortunately, even on a fairly narrow reading of “real threat,” I come up with nearly a couple dozen sites. That’s still a lot of passwords to change.

DEMOCRACY DOES NOT EXIST...

without free and fair elections, a vigorous free press, and engaged citizens to reclaim power from those who abuse it.

In this election year unlike any other—against a backdrop of a pandemic, an economic crisis, racial reckoning, and so much daily crazy—Mother Jones' journalism is driven by one simple question: Will America will move closer to, or further from, justice and equity in the years to come?

If you're able to, please join us in this mission with a donation today. Our reporting right now is focused on voting rights and election security, corruption, disinformation, racial and gender equity, and the climate crisis. We can’t do it without the support of readers like you, and we need to give it everything we've got between now and November. Thank you.

DEMOCRACY DOES NOT EXIST...

without free and fair elections, a vigorous free press, and engaged citizens to reclaim power from those who abuse it.

In this election year unlike any other—against a backdrop of a pandemic, an economic crisis, racial reckoning, and so much daily crazy—Mother Jones' journalism is driven by one simple question: Will America will move closer to, or further from, justice and equity in the years to come?

If you're able to, please join us in this mission with a donation today. Our reporting right now is focused on voting rights and election security, corruption, disinformation, racial and gender equity, and the climate crisis. We can’t do it without the support of readers like you, and we need to give it everything we've got between now and November. Thank you.

We Recommend

Latest

Sign up for our newsletters

Subscribe and we'll send Mother Jones straight to your inbox.

Get our award-winning magazine

Save big on a full year of investigations, ideas, and insights.

Subscribe

Support our journalism

Help Mother Jones' reporters dig deep with a tax-deductible donation.

Donate