1.2 billion passwords stolen by Russians? Is this hack a lie?

A couple of days ago, The New York Times published an exclusive report on what has been described as "the biggest hack ever". CyberVor, a Russian hacker group, allegedly have access to 1.2 billion sets of login credentials and more than 500 million email addresses gathered from 420,000 websites.

By Alex Choros | Opinion

A couple of days ago, The New York Times published an exclusive report on what has been described as "the biggest hack ever". CyberVor, a Russian hacker group, allegedly have access to 1.2 billion sets of login credentials and more than 500 million email addresses gathered from 420,000 websites.

The New York Times' source, Hold Security, has a history of uncovering hacks, and were responsible for bringing to light last year's Adobe incident. However, the information Hold has released to the public has been scarce, citing nondisclosure agreements and a reluctance to name companies whose sites still remain vulnerable. The New York Times asked a third party security expert to review the stolen data was able to attest to its authenticity.

Aside from this, we still know nothing about the data. We don't know where the data was stolen from, when the hack (or hacks) occurred, and whether the passwords are encrypted or plain text.

I can understand not naming names, but honestly, not providing any information and the time frame or password encryption is a bit of a joke. This is made worse by the fact that Hold are encouraging concerned individuals to sign up for their Identity Protection Service, which "will allow individuals to know if their online credentials have been compromised". The company are offering a free 30 day trial, but do not disclose a price anywhere.

According to the Hold's Terms of Service, by starting a "subscription (with our without a promotional trial), you are expressly agreeing that Hold Security is authorised to charge you the Subscription Fee to the Payment Method you provide during registration".

Am I the only one who thinks this sounds like a ransom?

But wait, it gets better. If Hold finds your email in the database, they then ask you to provide your passwords to compare it to the ones in the database, so they can let you know exactly which ones have been compromised – despite saying "we will never ask you for your passwords". What the hell?

Prior to writing for CyberShack I did a lot of freelance web development, and I can't begin to express how insane and impractical this approach is. Firstly, if any of the stolen passwords were encrypted, it would be impossible to compare without knowing each individual website's encryption method, especially if a salt has been used (a fairly standard extra layer of encryption). Secondly, asking users to enter passwords on a website they're not intended for is insane from a security perspective, and puts them at risk. Isn't Host meant to be a security firm? Or are they the real scammers in this scenario?

According to an article published on The Verge, it is unlikely that CyberVor actually stole all 1.2 billion passwords, rather, they just ended up with them: "The gang started out by buying stolen data from earlier hacks, but it's remarkably unclear where the bought date end stolen data begins". As such, many of the credentials referenced could be from previous hacks, and potentially outdated. The article suggests the data could have come from a 2013 Target hack, a 2012 LinkedIn hack or a 2012 Global Payments hack. More importantly, CyberVor isn't using this data to steal money, they are allegedly using it for hijacking Twitter accounts to use for spam.

As aforementioned, it is likely that that these passwords are authentic. Given that Hold is seemingly using the incident for their own commercial gain, it is impossible to understand the scope of the situation. My gut feeling is that we shouldn't be too worried. If any major players such as Google, Microsoft, Facebook, Twitter or Apple were breached, we no doubt would have seen more news on the topic. But we haven't.

Nonetheless, it is worth remaining diligent online. Aside from changing your Twitter password my personal recommendation is to use a unique password for each website that requires one. While this may seem like a tedious affair, apps such as LastPass and 1Password are ideal for managing them, and provide an additional level of security. Most importantly, do not give Host Security your passwords or your credit card details.

For further reading on the issue, check The Verge, and blog posts from by securty experts from software manufacturers Trend Micro and ESET.