The news this week about a Russian cyber gang amassing 1.2 billion user credentials including emails and passwords has created a bit of a frenzy — in the media, in the security community, and among average users, all of whom are wondering what the heck really happened.
Sadly, the security firm behind the revelations, Hold Security, seems to be milking the publicity for financial gain by offering breach notification services to businesses starting at $120 per year.
Our security experts have been parsing the story, and have poked some holes in it.
As Sophos Senior Security Advisor Chester Wisniewski pointed out in an opinion column published at CNN.com, a large portion of the email addresses and passwords among the 1.2 billion were likely from previously disclosed data breaches of websites such as eBay, Adobe and Sony.
Many of the passwords associated with those accounts were “hashed,” meaning it would take the crooks a long time to crack them. Plus, some of these hashed passwords are quite old and probably useless to the criminals.
Unfortunately, we just don’t know where this trove of data comes from because Hold Security hasn’t fully disclosed its findings.
“Of course, we don’t know the truth and can’t analyze what is known because Hold Security is trying to figure out how to monetize the knowledge, leaving even the experts a bit in the dark about how serious a discovery this truly is,” Chet writes.
Despite Hold Security’s questionable methods and motivation, the company’s revelations demonstrate just how bad security is at many websites, and how passwords are failing at providing adequate security for online accounts.
In light of all this, we’ve got some security tips for businesses, website owners, and the public at large.
- Just to be safe, you should change your website passwords (including webmail, social media accounts, etc.). It’s good sense to change your passwords frequently.
- Always use unique passwords for each website.
- Use two-factor authentication wherever you can.
- Check your bank and social media accounts for suspicious behavior.
For website owners
- Install a Web Application Firewall, such as the WAF available in our UTM.
- Harden your website against SQL injection.
- Make sure your users’ passwords are stored safely.
- Enable two-factor authentication for your users.