1.2 Billion Stolen User Names, Passwords Reportedly Collected By Russian Hackers

Consumerist ^ | 06 August 2014 | Chris Morran

[Lorianne]

Through hacks of hundreds of thousands of websites, a Russian crime ring has reportedly gained access to 1.2 billion user name and password combinations, along with hundreds of millions of e-mail addresses.

The NY Times reports on records turned up by Milwaukee-based Hold Security, which claims to have turned up evidence of this massive cache of data, stolen from some 420,000 different websites.

“Hackers did not just target U.S. companies, they targeted any website they could get, ranging from Fortune 500 companies to very small websites,” Alex Holden, the founder and chief information security officer of Hold Security, tells the Times. “And most of these sites are still vulnerable.”

The company is not naming victims for various reasons, including the fact that it doesn’t want to encourage attacks on sites that remain vulnerable to hacks. Some of the companies victimized by the hack are already aware that their data has been compromised.

Holden says he plans to alert law enforcement to his company’s findings, but the Times points out that the Russian government has a history of not making cybercrime a priority.

Unlike other hackers who make money by selling stolen credentials on the black market, it appears that most of the info taken by the Russian hackers is being used to send spam.

[Gritty-Kitty]

Pay up or the squirrel gets it.

[Red Badger]

Peggy DID IT! ......................

[Vigilanteman]

A pipe dream of mine would be to create an entire company of nerds who attack the website servers of spammers and hackers 24/7.

[rarestia]

Opulence. I has it!

[smokingfrog]

Все ваши базы принадлежат нам

[CincyRichieRich]

Good grief; great job, 0bummer! You commie pig.

Can someone please, please post a cartoon pic of Boris and Natasha? thanks

[rawcatslyentist]

So the ACA website is finally working.

[Grampa Dave]

Time for the NSA and CIA to track down these bastards and eliminate them.

Oops the NSA is to busy spying on Good Americans to spy on and neutralize enemies.

Oops, the CIA is controlled by the Sunni Muslim Brennan, and he and his boss want Americans to lose everyday.

[Grampa Dave]

Can someone please, please post a cartoon pic of Boris and Natasha? thanks

[webheart]

I have at least eight email addresses. Heck, my dog has an email address. She doesn’t get much mail, but still... As far as user names and passwords I have a couple of dozen, many of which lead nowhere. So 1.6 billion is not the same as 1.6 billion people. I have created and forgotten accounts on many occasions and there are many that I have but don’t use any more. My most important is my FR handle.

[WhyisaTexasgirlinPA]

One of the funniest commerical ideas ever

[Izzy Dunne]

Все ваши базы принадлежат нам

Ha! I don't read Russian, but I have an app called WORD LENS on my phone which uses the camera to look at a page, and shows me a picture in English.

AYBABTU, indeed.

[867V309]

Any website worth it's salt encrypts the client's password. The encryption is generally secure (I'm not talking NSA here) but stupid passwords like "123456" or "password" are found using a look-up table. A password like "ut*m5%8Pn7y", not so much.

[IYAS9YAS]

Any website worth it's salt encrypts the client's password.

There was a story linked (video actually) here this morning that showed how the good companies store password data. Essentially, they don't. They store hashdata based upon the password itself, but not the password. The really good ones use a system that cannot go from the hashdata to your password.

If any company sends you your password, you need to stop doing business with them, as they are maintaining something that can be hacked.

[IYAS9YAS]

Here's the link from this AM: Why any decent website doesn't know your password. (video)

[867V309]

"Hash data" is the password after salting and encryption. It is a one-way process where the password plus salt always yields the same "hash data" (or encrypted password) but there is no way to determine the password from the encrypted version unless you can guess it.

[IYAS9YAS]

"Hash data" is the password after salting and encryption. It is a one-way process where the password plus salt always yields the same "hash data" (or encrypted password) but there is no way to determine the password from the encrypted version unless you can guess it.

Yes. I've had some places that claim to encrypt my password, but they then are also able to return that password to me, so I know it's not actually encrypted using hashing data.

[867V309]

Yes. I've had some places that claim to encrypt my password, but they then are also able to return that password to me, so I know it's not actually encrypted using hashing data.

Yikes! I agree, avoid them like the plague unless the need for security is trivial.

[WayneS]

I hope they didn't get the password to my Simpson's Tapped Out game...