The biggest challenge for the gang of hackers in Russia said to have amassed 1.2 billion sets of user names and passwords, wasn’t actually stealing them. It’s putting that data to use.
The pilfered records, associated with about 500 million unique e-mail addresses, were discovered by Hold Security LLC, a Milwaukee-based company that sells information-security and risk-management services. The findings were based on seven months of research, though the company didn’t give a time period for the theft or name any websites that were hacked.
While Hold said it’s the largest known cache of stolen personal information, not all the records were current and the company couldn’t say if financial accounts were linked. Also, user names and passwords are less valuable than credit-card data and Social Security numbers, said Peter Toren, a partner in the Washington-based law firm Weisbrod, Matteis & Copley Plc.
“People should step back and question what kind of accounts are we talking about,” Toren, who served as an attorney for the U.S. Department of Justice’s computer crime and intellectual property section from 1992 to 1999, said in a telephone interview. “Do I really care if they find out what kind of music I listen to?”
Serious criminals, often in Eastern Europe, steal payment-card numbers. The theft of at least 40 million such numbers from Target Corp. (TGT:US) last year was one of their biggest hauls.
The bigger threat is that the Russian hackers could use whatever information they obtain to build profiles of people, which can be sold on the underground Internet market or used to obtain fake driver licenses or passports, Toren said.
“There are just so many ways information can be used to an individual’s disadvantage, even if the likelihood of such uses is speculative.” said Woody Hartzog, assistant professor at the Cumberland School of Law at Samford University in Birmingham, Alabama.
“Personal information can be used against individuals in different future attacks, like phishing or impersonation,” Hartzog said in an e-mail. “It’s frankly very difficult to say with great confidence that data breaches like these will only result in limited harm or vulnerability to users.”
The latest cache of user names and passwords was extracted from websites using a network of compromised computers known as a botnet, according to a statement from Hold Security yesterday. The “list includes many leaders in virtually all industries across the world, as well as” small or personal websites, Hold said.
“We have been collecting information to help our customers stay more secure,” Alex Holden, the founder and chief information security officer of the company, said in a telephone interview. “We found that it was such a great impact to society that we decided to make a public statement.”
Holden said that the hackers operated from central Russia near the border with Kazakhstan. He declined to provide exact details about their location or identities in order to not jeopardize potential law enforcement operations.
While the claim by Holden still has to be verified, the details and scope of the attack aren’t surprising, said JD Sherry, vice president for technology and solutions at security firm Trend Micro Inc. (4704) in the U.S.
“The Eastern European shadow economy is stocked with treasure troves of data as well as national security assets in the form of elite hackers,” Sherry said in an e-mail. “It is plausible that a single syndicate has cornered the market and compromised over a billion credentials over an extended period of time.”
Cybercrime costs as much as $575 billion a year and remains a growth industry with attacks on banks, retailers and energy companies that will worsen, according to a report published in June by the Washington-based Center for Strategic and International Studies and sponsored by network security company McAfee Inc.
Banks and credit-card companies are quick to cancel cards they know are stolen, and they have developed advanced algorithms for detecting fraud before charges hit victims’ accounts.
For those reasons, only a small fraction -- less than 5 percent -- of card numbers taken in breaches are ever used for fraud, said David Robertson, publisher of the Nilson Report, a newsletter focused on the payment industry.
The hackers could rent their lists to spammers, however few people open spam e-mails or even see them anymore. Effective filtering blocks 299 out of every 300 spam messages, according to The Spamhaus Project, an anti-spam nonprofit based in London and Geneva.
The New York Times first reported the attack, saying the records were gathered from 420,000 websites including Fortune 500 companies.
The Federal Bureau of Investigation declined to comment on whether it’s looking into the hackers. The U.S. has proven it can identify foreign hackers, such as when it indicted five Chinese military officials in May for hacking into U.S. companies.
However, even if the Russian hackers are identified they won’t be prosecuted, Toren said. “Do you think Vladimir Putin is going to turn these guys over to western law enforcement?” Toren asked. “Not in this world.”
To contact the reporters on this story: Chris Strohm in Washington at firstname.lastname@example.org; Jordan Robertson in San Francisco at email@example.com
To contact the editors responsible for this story: Romaine Bostick at firstname.lastname@example.org Elizabeth Wasserman