Millions and Millions of Stolen Credentials Just Waiting to Be Bought Online
Earlier this week, Hold Security published a post revealing that they have found "360 million stolen and abused credentials and 1.25 billion records containing only email addresses." These figures, they added, "are not meant to scare you." Too late.
Internet data watchers Hold Security published a post this week revealing that they have found "360 million stolen and abused credentials and 1.25 billion records containing only email addresses." These figures, they added, "are not meant to scare you." Too late.
The security firm explains that they made the discovery in the first weeks of February, and that the data was likely stolen in a number of separate breaches, including one massive theft of 105 million records. Hold Security said that it is investigating independent breaches, and that the disclosure is meant as a "call to action."
Hold Security's chief information security officer Alex Holden told Reuters that he thinks the information was stolen in breaches that affected companies have not yet reported, adding "we have staff working around the clock to identify victims." The breaches could actually be more harmful to victims than credit card theft because passwords could act as an entry point into several private accounts (especially because most people don't actually use different passwords for different accounts). Furthermore, security expert Heather Bearfield warned that money taken from bank accounts with stolen credentials are not necessarily refundable.
Reuters reports on what Hold Security learned:
The massive trove of credentials includes user names, which are typically email addresses, and passwords that in most cases are in unencrypted text... The email addresses are from major providers such as AOL Inc, Google Inc, Microsoft Corp and Yahoo Inc and almost all Fortune 500 companies and nonprofit organizations. Holden said he alerted one major email provider that is a client, but he declined to identify the company, citing a nondisclosure agreement.
Holden said that he will identify affected companies if he can identify them, adding that he doesn't yet know who is involved in the breach. He told PCWorld.com that the data may have come from dating or job-related sites, adding "we don't know who has been breached. Ultimately, we are trying to figure out who the players are."
Holden said that "this month has been very fruitful for hackers." It seems to us that many recent months have been nearly as fruitful — retailers Target and Neiman Marcus reported massive hacks, and Internet Explorer, Kickstarter and universities have been among the institutions affected by data breaches. To protect yourselves online Hold Security (naturally) recommends you buy their Credentials Integrity Services service. Or you could just change your password to something other than "password."