Security Advisor

Russian Crime Ring Steals 1.2 Billion Online Passwords

This week's incident highlights the need for a change in attitudes relating to corporate security.

A crime ring operating out of Russia has collected what is being called the largest batch of stolen online credentials, including usernames, passwords and e-mail addresses across multiple services.

The New York Times reported on Tuesday that Milwaukee firm Hold Security discovered the theft and said the obtained information came from 420,000 different Web sites, with targets ranging from across the entire globe.

"Hackers did not just target U.S. companies, they targeted any website they could get, ranging from Fortune 500 companies to very small websites," said Alex Holden, chief information security officer of Hold Security, to The New York Times. "And most of these sites are still vulnerable."

The list of affected sites has stayed private so that further information leaks could be avoided.

According to the security firm's blog that disclosed the incident, the database of stolen information was acquired from the black market by accessing a large network of botnet networks that obtained the information in the first place by information leaks through unpatched SQL server holes.

The crime ring, which Hold Security has called "CyberVor" ("vor" means "thief" in Russian). Is known mostly for sending out spam, including bogus deals for weight loss pills. According to the 18-month investigation by the firm, financial information was never targeted by the group. However, activity using the stolen credentials has already been spotted. The group has been using the information to send spam on social networking sites like Facebook and Twitter.

Experts reacting to the incident point to a lax in enterprise security as being the main culprit of this and other recent high-profile thefts (including last year's Target breach). Pierluigi Stella, CTO for Network Box, said the dangerous practice of enterprises installing security procedures based off of cost effectiveness over actual need will continue to lead to incidents like these.

"The time when we compared risk assessment to a horse in a stable (don't spend more money for the fence than for the horse) is long gone," said Stella in an e-mailed comment. "We need to change the approach and understand that the risks are much higher; losing your data can (and WILL) cost you your company."

Redmond columnist Don Jones spoke of this corporate change in attitude in his June column "The Quest for a Culture of Security." In it, he said if an enterprise has not clearly analyzed what is the actual cost of a large data leak, security is not a strong focus of the enterprise. "If you don't know, you're probably not making good, metrics-based decisions when it comes to security," wrote Jones. "After all, without knowing your level of risk, you can't decide how much it's worth spending to mitigate it."

Aside from investing more money and time in a comprehensive analysis and strategy, what are some more practical steps companies can take to avoid situations like this week's data theft?  Hold Security said companies should double check to see if their corporate Web sites are open to SQL injection attacks (including auxiliary sites), and make sure all online servers are patched and up to date.


About the Author

Chris Paoli is the site producer for and


  • Microsoft Endpoint Manager Improvements Highlighted at Ignite

    Improvements in the Microsoft Endpoint Manager (MEM) management solution were part of Tuesday's Microsoft Ignite online event.

  • Green City Illustration

    Microsoft Ignite 2020 Reaction, Part 1: A New Normal for Tech Conferences

    Something about Satya Nadella's opening keynote makes Brien wonder if Microsoft thinks we'd all be better off doing everything -- including conferences like Ignite -- remotely, even after the pandemic is over.

  • Microsoft Ignite: Azure Advances Across Five Frontiers

    To kick off the Microsoft Ignite virtual conference, CEO Satya Nadella made a bold claim about the public cloud with the second-largest market share behind Amazon.

  • Microsoft Buying Games Maker ZeniMax Media for $7.5 Billion

    Microsoft is buying ZeniMax Media, parent company of Bethesda Softworks and other game-maker affiliates, for $7.5 billion in cash.

comments powered by Disqus