by Indusface Research Team

The Great Cyber Robbery

A Russian gang has stolen 1.2 bn usernames and passwords and this is being quoted as the biggest cyber robbery that anyone has ever witnessed. The News of this discovery was first reported by Nicole Perlroth and David Gelles of the New York Times. Reports are citing that the primary tool used for hijacking this data is SQL Injection. The stolen records comprised of sensitive and confidential data from 420,000 websites. These include 1.2 bn usernames and password combinations and more than 500 mn email addresses.


How was the attack planned?

As per a security research company, which has been called in to study this hack, the hacker’s approach to steal data originally was different which they changed later. Initially, the hackers acquired databases from hackers in the black market, which contained stolen credentials. This data was further used to attack social media networks, email providers, and various other websites, and use them to spam and infect their victims. The legitimate systems were taken control of by installing malicious rerouting. Bots were created.

The hackers then used the botnets to find out SQL vulnerabilities on more than 400,000 websites which were vulnerable to cyberattack. They audited the websites for being prone to SQL vulnerability. These vulnerabilities were exploited to steal data from those sites’ database, and with this, they landed with a billion plus usernames and passwords. So the attacks started from small websites and proceeded to larger organizations, affecting many Russian websites as well.

As explained in a very unique terminology by a security researcher, the hackers performed “possibility the largest audit of websites ever”.

Who are the faces behind this massive hack?

Russian government is not believed to be involved in this attack. As per The Times, Russian hackers have long been using botnets to extract this type of information on a massive scale. This hacking ring is based in south central Russia, and comprises of less than a dozen men in their 20s, who not only know each other virtually but also personally. They began as amateur spammers somewhere in 2011, but now may have possibly joined forces with a more professional and larger entity.

More on the biggest hack in the history of Internet

While it is believed that many leading organizations in almost all the industries in the world have been affected, no details about them have been publicly disclosed. No reports about the data being sold online by hackers have surfaced, but it is believed that they are using the stolen credentials to spam users.

The Times has said that multiple security experts have analyzed the data and have confirmed its authenticity. It is also alleged that many big companies whose data shows in this stolen database, are aware of the theft.

What should be done next?

This attack was not targeted at only big organizations, but at every website that was visited by the victim. Therefore the smaller organizations might be equally affected.

Many websites are coming up with paid tests and services, to check whether their websites are secured against vulnerabilities similar to SQL attacks, but make sure that in search of a remedy, you do not fall prey to another disease. Do a proper search on the authenticity of such websites.

Few steps that should be taken immediately are:

For users

1. It is being advised to change your passwords. When you do change them, please use a combination of unusual characters.

2. Do not repeat passwords, ever! It can be difficult to keep remember passwords for all the multiple accounts you have, so you can use a reliable password wallet or password manager. You don’t have to worry about their cost, some of them are absolutely free.

3. Do not store them in plain text on your devices.

4. Many organizations like Gmail, Facebook are now providing two-factor authentication, which due to not being mandatory is not being utilized by users. Use it.

For Organizations-

  1. Scan your websites for any vulnerabilities, like being prone to SQL injections, find them and fix them. These scans should be done periodically, to check the health of your website.
  2. Transition to two-factor authentication. Make it mandatory. It will help you save from a lot of pain in the longer run.
  3. If you think your user data has been compromised by this attack, request your users to change their passwords immediately, on your website and on whichever other website they were repeating it. Trust me, they will be repeating it.
Founder & Chief Marketing Officer, Indusface

Venky has played multiple roles within Indusface for the past 6 years. Prior to this, as the CTO @indusface, Venky built the product/service offering and technology team from scratch, and grew it from ideation to getting initial customers with a proven/validated business model poised for scale. Before joining Indusface, Venky had 10+ years of experience in security industry and had held various mgmt/leadership roles in Product Development, Professional Services and Sales @Entrust.