More than 1 billion unique user names and passwords, as well as 500 million email addresses, have been stolen by a Russian crime ring in what is being called the largest-ever theft of web credentials, an information security firm has announced.
The massive breach was discovered by a Milwaukee-based security firm. Hold Security founder and Chief Information Security Officer Alex Holden said information was stolen from roughly 420,000 web and FTP sites, The New York Times reported Aug. 5.
“Hackers did not just target U.S. companies, they targeted any website they could get, ranging from Fortune 500 companies to very small companies,” Holden told the newspaper. “And most of these sites are still vulnerable.”
Holden said nondisclosure agreements prevent him from revealing which companies were victimized. In addition, he said he didn’t want to name sites that may still be vulnerable to further cyber attacks.
Such breaches demonstrate the extreme vulnerability of information assets, said Richard Ford, the Harris Professor of Computer Science in Assured Information at Florida Institute of Technology in Melbourne, Florida.
“As is always the case, I’d like to see more hard data before I really form an opinion,” said Ford, who also is co-director of the Harris Institute for Assured Information at Florida Tech. “With that caveat, though, in some ways even an exploit on this scale isn’t much of a surprise to me.
“The problem is manifold, but two issues I think are worth highlighting are that the ecosystem is so very big and the system is so very breakable,” he said. “Thus, if an attacker cannot break into company A, there is an almost-unlimited list of other targets that they can break into.”
According to an Aug. 5 post on the Hold Security website, the company spent seven months uncovering the stash of stolen data. The company identified a cyber gang operating out of a small city in south central Russia as the culprit.
The group has sold very little of the stolen data, the Times reported. It appears instead that the cyber thieves get paid to use the stolen information to send out spam for products such as weight-loss pills, according to CNN Money.
The discovery is the latest to highlight the growing challenges associated with securing customer data. In late 2013, retail giant Target revealed that hackers based in Eastern Europe had stolen 40 million credit card numbers and 70 million additional pieces of customer data from its networks. Two months earlier, U.S. prosecutors announced charges against a Vietnamese national in a scheme to sell millions of personal records obtained from Court Ventures, a data aggregating service now owned by Experian.
Large-scale data thefts threaten consumers as well as the world’s economy, according to a June 2014 report by the Center for Strategic and International Studies. The Washington, D.C.-based think tank estimated that cyber crime costs more than $445 billion worldwide each year, a number that equals about 1% of global income.
The growing threat posed by Internet-based crimes such as hacking and phishing is fueling job creation in the field of cybersecurity. The U.S. Bureau of Labor Statistics (BLS) projects that employment of information security analysts will jump by 37% between 2012 and 2022, well above the nation’s average job growth rate.
Information security analysts earned an average salary in excess of $91,000 as of 2103, the BLS reported.
“The size and complexity of the system work against us on many levels,” Ford said, “and we need to continue to invest in both personnel and research in this area or else the current culture of insecurity will continue.”