What the Big Russian Credentials Breach Means to You
NEW YORK ( MainStreet) The news headlines scream: a Russian gang has stolen an estimated one billion login credentials (username/passwords), harvested from some 420,000 websites, according to Milwaukee based Hold Security which broke the news. Hundreds of millions of valid email addresses also were stolen by the gang.
But this may not be a remote problem floating in the tech sphere: it is quite possible you will be impacted. And you need to take steps, now, to protect yourself.
Said Adam Levin, chairman of Scottsdale-based Identity Theft 911, "this has the potential to be a problem for all of us."
Added David Maman, CTO at Israel-based security firm GreenSQL, "You can steal any information once you steal credentials. There now are potentially a billion potential identity theft cases."
It gets worse. Shane Shook, chief strategy officer, at ZeroFOX, a social risk management firm in Baltimore, predicted there will be an epidemic of bogus and malicious faked social identities - on LinkedIn, for instance -- as criminals extend the ways they use the stolen credentials. You may think you are linking to a vice president at a well known Phoenix hospitality firm. But what if it's an impostor? And what if the fake - whom you trust - sends you a link that downloads malware to your computer. Now you are the victim.
Fact: the huge magnitude of the breach almost certainly is true. Hold has not made publicly available much data, but it did give a look to highly regarded security blogger Brian Krebs ( he broke the news of the Target breach late last year ), who pronounced the evidence solid.
How could a small team - Hold estimates the inner circle of the breach masterminds as a handful of Russians - collect so much data? Easy. They followed a central mantra of corporate IT which is to automate as many tasks as possible. Apparently what they did was assemble an army of zombie computers - called a botnet, these computers are corrupted by malware and do the bidding of an evil master, usually without the knowledge of the rightful owner. The zombies were programmed to hunt for particular security vulnerabilities in web hosts and to harvest the desired data.
Problem: we do not currently know what companies are on the list of 420,000 compromised websites. We may never know, but that may not matter anyway. What matters is that the sites are said to be of both large and tiny organizations. There's no pattern (other than having certain architectural weaknesses). Assume you have visited some. Probably you have.