A
U.S. security firm has uncovered what appears to be the largest
Internet security breach in recent memory, conducted by a group of
Russia-based hackers.
According
to Milwaukee-based firm Hold Security, which conducted an 18-month
investigation into the breach, the online gang stole 1.2 billion
username and password combos, as well as more than 500 million email
addresses.
The
hackers pulled off the data heist, which ultimately scooped up 4.5
billion records, using unsuspecting systems of botnet network victims
(in this case, computers with viruses that allowed a single operator to
control a large group of affected systems) to test websites for SQL
vulnerabilities. When a vulnerability was discovered, the hackers were
then able to execute SQL injections, enabling them to send malicious
commands to a website and steal its data, including usernames and
passwords.
The group managed to steal information from 420,000 web and FTP sites, Hold Security said.
"Accounts
are hacked and credentials are stolen every day; however, the number of
credentials reportedly stolen is at a massive scale," Eric Chiu,
president of cloud company HyTrust, told Mashable. "
This
is a huge wake-up call to consumers and companies that attackers are
going after personal and work accounts in order to impersonate our
online personas."
Hold
Security's blog post, which details the data breach, also promotes its
own services. However, an independent security expert hired by The New
York Times confirmed its findings.
"Your
data has not necessarily been stolen from you directly," the blog post
said. "It could have been stolen from the service or goods providers to
whom you entrust your personal information, from your employers, even
from your friends and family."
The
Russia-based cyber gang is comprised of a dozen men in their 20s who
began as amateur spammers by buying information on the online black
market back in 2011, The New York Times reported. Ironically, the
hacking revelation has come during the Black Hat computer-security
conference in Las Vegas, which takes place from Aug. 2 to 7.
The
Times said Hold Security is trying to develop an online tool to help
individual users identify whether or not they were impacted by the data
breach. Those who use the Internet for online banking and shopping will
likely be the most troubled by the company's report. As for businesses,
they are advised to immediately run a check to see if their websites are
vulnerable to SQL injections.
"If
you haven’t updated your password recently, now would be the time,"
Adam Kujawa, head of malware intelligence at security company
Malwarebytes Labs, told Mashable. "Make sure it’s a strong password
containing capital and lowercase letters, numbers and special
characters. Also, don’t use the same username and password combo for
every site. This is especially true for sites that have personal
information like the site to your bank or credit card."
Posted by : Gizemon
No comments:
Post a Comment