A U.S. security firm has uncovered what appears to be the largest Internet security breach in recent memory, conducted by a group of Russia-based hackers.
According to Milwaukee-based firm Hold Security, which conducted an 18-month investigation into the breach, the online gang stole 1.2 billion username and password combos, as well as more than 500 million email addresses.
The hackers pulled off the data heist, which ultimately scooped up 4.5 billion records, using unsuspecting systems of botnet network victims (in this case, computers with viruses that allowed a single operator to control a large group of affected systems) to test websites for SQL vulnerabilities. When a vulnerability was discovered, the hackers were then able to execute SQL injections, enabling them to send malicious commands to a website and steal its data, including usernames and passwords.
The group managed to steal information from 420,000 web and FTP sites, Hold Security said.
“Accounts are hacked and credentials are stolen every day; however, the number of credentials reportedly stolen is at a massive scale,” Eric Chiu, president of cloud company HyTrust, told Mashable.
“This is a huge wake-up call to consumers and companies that attackers are going after personal and work accounts in order to impersonate our online personas.”
Hold Security’s blog post, which details the data breach, also promotes its own services. However, an independent security expert hired by The New York Times confirmed its findings.
“Your data has not necessarily been stolen from you directly,” the blog post said. “It could have been stolen from the service or goods providers to whom you entrust your personal information, from your employers, even from your friends and family.”
The Russia-based cyber gang is comprised of a dozen men in their 20s who began as amateur spammers by buying information on the online black market back in 2011, The New York Times reported. Ironically, the hacking revelation has come during the Black Hat computer-security conference in Las Vegas, which takes place from Aug. 2 to 7.
The Times said Hold Security is trying to develop an online tool to help individual users identify whether or not they were impacted by the data breach. Those who use the Internet for online banking and shopping will likely be the most troubled by the company’s report. As for businesses, they are advised to immediately run a check to see if their websites are vulnerable to SQL injections.
“If you haven’t updated your password recently, now would be the time,” Adam Kujawa, head of malware intelligence at security company Malwarebytes Labs, told Mashable. “Make sure it’s a strong password containing capital and lowercase letters, numbers and special characters. Also, don’t use the same username and password combo for every site. This is especially true for sites that have personal information like the site to your bank or credit card.”