The headline in The New York Times is daunting, “Russian Hacking Amass Over a Billion Internet Passwords”. Yes: BILLION! The story? It is being reported that a close knit group of Russian hackers have breached massive amounts of data. Here are the numbers:

  • more than 420,000 websites have been harvested and data stolen from them, including
  • 1.2 billion user name and password combinations
  • more than 500 million email addresses

The existent of the crime ring, nicknamed ‘CyberVor’, and the unprecedented size of their cache was first revealed by Hold Security, the security company based in Milwaukee that has revealed several major hacks including Adobe Systems (2013).

What do bad guys do with all that data?

Because people tend to use the same passwords for different sites, criminals test stolen credentials on websites where valuable information can be gleaned, like those of banks and brokerage firms.

Bad guys need to steal huge numbers of email addresses, logins and passwords, social security and other ID numbers in order to make sure they get enough data with which they make money. The more records or bits of identity they have the greater the chance that some of the accounts can be misused – for money. It’s a numbers game.

In this case, the bad guys are making money so far by “using the stolen information to send spam on social networks like Twitter at the behest of other groups, collecting fees for their work.

It’s just another example that bad guys are creative in terms of misusing your info: emptying your bank account is only one of many ways that your data and identity can be violated. This Twitter bit could also be a nice way of earning some change, while proving to potential buyers that the data is real – and thereby raising the price.

The next time you say to yourself, ‘who could possibly care about my personal data? I’ve got nothing anyone would want to steal.’ Stop and consider that someone out there is paying to send spam from Twitter accounts. You really don’t want it to be your Twitter account.

At this point, the depth and breadth of the risk are truly not known. After checking with many of our contacts in the security industry, we have been unable to find any researcher who has actually seen the data or had been able to verify information in the report.

While it is quite possible that a group could have this many credentials over time, without secondary verification by established researchers and experts it may be a bit early to quit using the Internet. However, it is another reminder that password security is critical.

Even though we do not have all the information we may want concerning these reported breaches and password harvesting, you should review your password security.

Key lessons:

  • Stay informed! By knowing that a hack has occurred, you’ll know that you need to react.
  • Each of your online accounts deserves its own password. As bad as it is to have one account violated, you can’t afford to make it easy for the bad guys by using the same credentials on 2 or more accounts.
  • Each password needs to be long and strong random string. Your passwords are the keys to your emails, bank account, social media – your life. You want those keys to be strong, not to be cute words that can guessed easily, or revealed by a dictionary attack.
  • Wherever it is offered, use two-factor authentication. Two-factor authentication is stronger than the straightforward use of passwords because it requires that you enter your password plus something else that a bad guy couldn’t know without being there with you.

It may sound like a lot – especially if you’ve never taken paid much attention to your password security, but it’s necessary and very manageable whey you use a password manager such as Sticky Password. Why not start today?