The New York Times recently reported on a data breach originally identified by US security firm Hold Security which revealed:
- How 4.5 billion records have been compromised
- 1.2 billion appear to be unique users
- The list includes more than 500 million email addresses
- The haul appears to have come from over 420,000 compromised websites
They’ve called this CyberVor (‘vor’ being the Russian word for thief). The situation is still evolving, but here’s what we know.
How might this have happened?
The first batch of compromised accounts seems to be from normal trade on the black market of compromised credentials. Spam emails then directed victims to sites containing malware, with infected machines using vulnerabilities in the SQL databases of websites subsequently visited to gain dumps of databases. Repeating this cycle allowed the group to gain a very large collection of stolen user data.
What exactly does the CyberVor gang have?
Hold Security hasn’t revealed what exactly the criminal gang has put together, but we expect that the CyberVor range now has a large collection of user names, email addresses, and hashed passwords. A password hash looks like the following:
Most organizations use hash algorithms that are hard to reverse engineer. When the genuine user tries to gain entry, if the password matches the hash stored in the database, access is granted. If the entered password does not produce a matching hash, entry is denied. Such hashed algorithms are a defense against attacks like the CyberVor. Even if the criminal gang has a large list of user names, they generally only have hashed passwords, which are of little value unless they can be reverse engineered. However, account usernames and email addresses do have a value themselves as they can be used for future attacks.
Should you be concerned?
If a cybercriminal knows the hash algorithm, it will be easy for them to use a dictionary and compare hash outputs to the ones gathered from stolen databases to reverse engineer your password. Thankfully, most companies use a technique called “salting” (a random string inserted within the hash) to further complicate the hashed password. This means that the salt makes the hashing algorithm stronger still. Even if multiple users have the same password, such as “abc123”, the hash values will be unique. Cybercriminals won’t be able to reverse the hash into the actual password using a standard dictionary attack, unless they know specifically where the salt is within the string.
We should also consider what types of sites were compromised in this attack. If most passwords came from rather benign websites, such as online news sites or sites that contain no financial details, there is not much to worry about. However, if the comprised sites include major financial institutions, government sites, major social media sites, or domain name registrars, the situation is much more serious.
To be safe, change your passwords if you use the same password for multiple sites (a practice not recommended by CSC), or even better, start using the two-factor authentication that many sites allow. In addition to your user name and password, this means you’ll need some additional means of authentication to get access. It could be something as simple as IP address validation which CSC also offers (checking to see what IP address the login is coming from and maintaining a list of permitted IP addresses). Other possible forms of two-factor authentication include physical tokens (usually a key fob or small device that generates a unique numerical string on some briefly recurring frequency), or virtual tokens such as those offered by Google, Facebook, RSA and Symantec.
We continue to monitor the situation and liaise with our security partners.