Over the past 18 months, this was our conversation starter with many companies and individuals. Helping our clients prevent breaches or find their stolen data is our business. If you have been following information security, or even if you haven’t, you have probably heard of Hold Security and our work. In October 2013, we identified a data breach with Adobe Systems. Later in December that year, we independently identified and tracked the Target breach and in February 2014 we identified over 360 million stolen credentials trafficked on the black market. Overall, Hold Security played a role in identifying and helping victims with most of the largest breaches.
In the latest development, Hold Security’s Deep Web Monitoring practice in conjunction with our Credential Integrity Services discovered what could be arguably the largest data breach known to date.
Whether you are a computer expert or a technophobe, as long as your data is somewhere on the World Wide Web, you may be affected by this breach. Your data has not necessarily been stolen from you directly. It could have been stolen from the service or goods providers to whom you entrust your personal information, from your employers, even from your friends and family.
After more than seven months of research, Hold Security identified a Russian cyber gang which is currently in possession of the largest cache of stolen data. While the gang did not have a name, we dubbed it “CyberVor” (“vor” meaning “thief” in Russian).
The CyberVor gang amassed over 4.5 billion records, mostly consisting of stolen credentials. 1.2 billion of these credentials appear to be unique, belonging to over half a billion e-mail addresses. To get such an impressive number of credentials, the CyberVors robbed over 420,000 web and FTP sites.
How did this occur?
Initially, the gang acquired databases of stolen credentials from fellow hackers on the black market. These databases were used to attack e-mail providers, social media, and other websites to distribute spam to victims and install malicious redirections on legitimate systems. Earlier this year, the hackers altered their approach. Through the underground black market, the CyberVors got access to data from botnet networks (a large group of virus-infected computers controlled by one criminal system). These botnets used victims’ systems to identify SQL vulnerabilities on the sites they visited. The botnet conducted possibly the largest security audit ever. Over 400,000 sites were identified to be potentially vulnerable to SQL injection flaws alone. The CyberVors used these vulnerabilities to steal data from these sites’ databases. To the best of our knowledge, they mostly focused on stealing credentials, eventually ending up with the largest cache of stolen personal information, totaling over 1.2 billion unique sets of e-mails and passwords.
Who is affected?
The CyberVors did not differentiate between small or large sites. They didn’t just target large companies; instead, they targeted every site that their victims visited. With hundreds of thousands sites affected, the list includes many leaders in virtually all industries across the world, as well as a multitude of small or even personal websites.
4.5 billion credentials seems like an impossible number, but just think of how many sites require you to register your e-mail address and, let’s face it, almost everyone re-uses their passwords. So, it’s not hard to see how some of us could have been victimized more than once. A credential pair is a combination of user id (mostly e-mail) and password and we have discovered 1.2 billion of such unique pairs that have been breached. If we narrow it down by unique e-mail addresses, we still have over half a billion records since there may be multiple password corresponding to a single e-mail address. Not all of them are valid or current. Some people use fake e-mail addresses, in other cases the CyberVor gang might have stolen credentials that belonged to an e-mail address that you no longer have (i.e. something you used with your previous employer) or a password that you haven’t used for over a decade, or even a default password automatically assigned to you by a website. Yet the sheer number of credentials can potentially open a door to many systems and accounts.
What do we do now?
Do not panic! Try to strategize.
Companies – check if your website is susceptible to a SQL injection. It is hard to spot and it may be not on your main site but on one of your auxiliary sites instead. If your websites are vulnerable, this is not the last time you can be victimized. Hold Security is proud to announce our new Breach Notification Service (BNS). After we verify your identity and entitlements to the website(s) or domain(s), we can tell you if you have been impacted by this or other breaches. Our Pen Testing and Audit Services are also available to investigate further and may find vulnerabilities that are yet to be discovered. Also, to keep your users protected from this and many other breaches, join our Credentials Integrity Service and we will be able to notify you if any of them have had their credentials stolen.
Individuals – the ultimate victims of the CyberVor gang are the end-users. Hold Security is proud to announce that we will be providing full electronic identity monitoring service to all the individuals within the next 60 days. Even if you are currently using another Identity Protection Service, your electronic identity may still be vulnerable. While we are getting our full service ready, we are inviting you to express your interest by pre-registering, free of charge and without any commitment. Once you register and complete a simple verification process, you will be able to check if your credentials have been found in CyberVor’s possession. We anticipate an overwhelming volume of requests, but please be patient and we will try to help you! We have developed a secure methodology for you to share with us a very strong (SHA512) cryptographic representation of your passwords for verification.
Update October 8, 2014
Hold Security has been working diligently on helping countless individuals to identify their stolen data impacted by this breach. We are still working on a consumer service to provide continuous protection and notification for your stolen credentials. While this service is under development, the pre-registration process will be closed. Please stay tuned for further announcements.
Click here to find out more about Credential Integrity Services.
Click here to learn about Hold Security’s other Deep Web Monitoring Serivces.
Click here for assistance with Pen Testing and Audit.