Menu
Massive Russian hack has researchers scratching their heads

Massive Russian hack has researchers scratching their heads

Many questions remain after a security company said it had uncovered a huge database of stolen online credentials

Don't worry, you're not the only one with more questions than answers about the 1.2 billion user credentials amassed by Russian hackers.

Some security researchers on Wednesday said it's still unclear just how serious the discovery is, and they faulted the company that uncovered the database, Hold Security, for not providing more details about what it discovered.

"The only way we can know if this is a big deal is if we know what the information is and where it came from," said Chester Wisniewski, a senior security advisor at Sophos. "But I can't answer that because the people who disclosed this decided they want to make money off of this. There's no way for others to verify."

Wisniewski was referring to an offer by Hold Security to notify website operators if they were affected, but only if they sign up for its breach notification service, which starts at US$120 per year. Individual consumers can find out through its identity protection service, which Hold Security says will be free for the first 30 days.

Hold Security didn't respond to email and telephone requests for comment Wednesday, though it may have been inundated with inquiries.

To recap, Hold Security said Tuesday it had obtained a massive database of stolen credentials amassed by a gang of Russian hackers. The database contains 1.2 billion unique "credential pairs" -- made up of a user ID (mostly email addresses) and an associated password. Looking at email addresses alone, there are "over half a billion," the company said, since some email addresses correspond to multiple passwords.

To assess how serious the discovery is, researchers want to know how old the credentials collected by the Russian gang are, where they came from, and how well-protected the passwords are by "hashing," which scrambles the passwords but can be vulnerable to brute force attack.

The age is important because the older they are, the more likely they are to be disused and less valuable, said Gary Davis, chief consumer security evangelist at McAfee.

Hold Security acknowledged in its announcement that "not all" the credentials are "valid or current," with some associated with fake email addresses, closed accounts or even passwords a decade old.

It's also unclear how many of the login and password credentials were culled online recently by the hacker group, and how many were acquired on the black market from previous hacks.

Hold Security said the hackers began by buying credentials from previously attacked accounts, and then did some hacking work of their own. But it's unclear how many of the 1.2 billion credentials came from previous hacking incidents, and which incidents those were.

"If you take Sony, LinkedIn, eBay and Adobe," said Wisniewski, naming four of the biggest recent password breaches, "that's already 500 million accounts."

Experts said the passwords were likely hashed, a process used by most websites these days. But there are several methods of doing that, and the older "MD5" method, for example, is more vulnerable than a more modern method called "salting," said Wisniewski.

For now, researchers are left guessing and reading between the lines because Hold Security has not released more information.

"It will be interesting to see if public opinion pressures them," said Wisniewski.

Martyn Williams covers mobile telecoms, Silicon Valley and general technology breaking news for The IDG News Service. Follow Martyn on Twitter at @martyn_williams. Martyn's e-mail address is martyn_williams@idg.com


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags sophosmcafeeHold Security

Featured

Slideshows

Channel gathers to celebrate the Reseller News Innovation Awards 2020 winners

Channel gathers to celebrate the Reseller News Innovation Awards 2020 winners

More than 500 channel leaders gathered in Auckland on 21 October at the ​Reseller News Innovation Awards ​2020 to celebrate the achievements of the New Zealand technology industry's top partners, start-ups, vendors, distributors and individuals.

Channel gathers to celebrate the Reseller News Innovation Awards 2020 winners
Meet the winners of the 2020 Reseller News Innovation Awards

Meet the winners of the 2020 Reseller News Innovation Awards

Reseller News honoured the standout players of the New Zealand channel in front of more than 500 technology leaders in Auckland on 21 October, recognising the achievements of top partners, start-ups, vendors, distributors and individuals.

Meet the winners of the 2020 Reseller News Innovation Awards
Meet the Reseller News 30 Under 30 Tech Awards 2020 winners

Meet the Reseller News 30 Under 30 Tech Awards 2020 winners

This year’s Reseller News 30 Under 30 Tech Awards were held as an integral part of the first entirely virtual Emerging Leaders​ forum, an annual event dedicated to identifying, educating and showcasing the New Zealand technology market’s rising stars. The 30 Under 30 Tech Awards 2020 recognised the outstanding achievements and business excellence of 30 talented individuals​, across both young leaders and those just starting out. In this slideshow, Reseller News honours this year's winners and captures their thoughts about how their ideas of leadership have changed over time.​

Meet the Reseller News 30 Under 30 Tech Awards 2020 winners
Show Comments