Hackers have amassed a vast collection of stolen data, including 1.2 billion unique username/password pairs, by compromising over 420,000 websites using SQL injection techniques.
Researchers monitored the gang for over seven months, thought to be “fewer than a dozen men in their 20s who know one another personally” based in a small city in central Russia.
They found that the group, working together since at least 2011, had rented time on bot-infected machines around the world, and rather than the more standard techniques of sending masses of spam, distributing malware or monitoring the infected system to catch banking logins, had instead monitored each and every website visited by the compromised host’s user, probing for vulnerabilities to SQL injection attacks.
Vulnerable sites were then plundered for any data they could be tricked into leaking, which was added to the gang’s epic cache.
By the time it was acquired by Hold Security, this amounted to 4.5 billion records, including the 1.2 billion unique login pairs and over half a billion unique email addresses. The data has apparently been verified as genuine by an independent expert at the behest of the New York Times.
SQL injection attacks are one of the most common ways of compromising web-facing systems.
Databases are used by websites to store all sorts of information, including sensitive data like passwords and credit card details.
Because of their sensitivity these databases are not publicly accessible and are only visible to the website that uses them. But if that website is not coded with security in mind attackers can use the website as a go-between that gives them indirect access to the database.
Although this haul is staggeringly large the infrastructure and techniques required to perform the attack are nothing new, according to SophosLabs’ Senior Threat Researcher James Wyke.
A large proportion of all the malware families that we see form some sort of botnet. In fact there are relatively few categories of malware that don’t.
Even those that don’t are often spread through botnets – CryptoLocker was spread via the Gameover Zeus botnet for example.
Botnets themselves can be extremely large. We estimated that the ZeroAccess botnet managed to infect over 9 million machines and the number of Gameover infections was also in the millions.
If you want to understand more about botnets and what they do listen to the TechKnow podcast with James and Naked Security’s Paul Ducklin.
The researchers who uncovered the cache of data have described the technique as “possibly the largest security audit ever”.
Of course, the huge numbers will be inflated by the inclusion of expired and throwaway logins, but given the general state of password security it seems inevitable that a pretty large number of people will be at some sort of risk from this mass harvesting.
At the moment, apparently, the gang, which Hold have dubbed “CyberVors” from the Russian for “thief”, are mainly using the data to provide social network spamming services, but it could easily be used for any kind of account hijacking or identity theft in future.
It also seems inevitable that with such a large haul from such a wide range of sites, there will be more than just usernames, passwords and email addresses in there, not least social security numbers and payment card information.
The researchers say they are working through the list of vulnerable sites, informing the owners and urging them to shore themselves up, but with close to half a million to get through that could take some time.
They’re also working on a secure way of allowing people to check the dataset for their own passwords to see if they’ve been compromised.
Hold Security is proud to announce that we will be providing full electronic identity monitoring service to all the individuals within the next 60 days.
That isn’t how these kind of breaches are normally handled, SophosLab’s Principal Virus Researcher Vanja Svajcer explains:
This is quite an unusual approach to remediating an alleged major credentials compromise. For a long time the security industry has freely shared information on breaches within its own community.
Researchers discovering credentials breaches usually help end users either by making the information about compromised accounts public or by working with the company whose servers were compromised … it is reasonable to expect the company to make the information freely available so everybody can check that none of their email addresses have been compromised.
Sixty days is a long time to wait. If you can’t find out if you’re affected what should you do today?
There is currently no way to tell if you have been affected by any of this. The owners of the affected sites are being informed and hopefully they will tell their users in turn.
Because the sites that were successfully attacked were compromised by easily-avoided vulnerabilities it’s prudent to assume those sites didn’t secure the data in their databases properly either. Even strong passwords are at risk if they aren’t stored correctly.
That means a large, random selection of people have had their personal data compromised and the only reasonable security precaution is to assume you’re one of them. We recommend that you:
- Change your website passwords
- Use a unique password for each website
- Use two-factor authentication wherever you can
- Check bank and social media accounts for suspicious behaviour
This data haul may yet turn out to be a ‘Heartbleed’ moment for website owners who assume their sites are too small to be of interest to hackers.
The gang that amassed this giant data haul didn’t discriminate between popular or unpopular, large or small. All that mattered was vulnerability.
Fortunately SQL injection attacks are easily defeated by simple coding practices.
We recommend that website owners:
- Install a Web Application Firewall
- Harden your website against SQL injection
- SQL injection prevention tips for web programmers
- Testing for SQL Injection
- Make sure your users’ passwords are stored safely
- Enable your two-factor authentication of users