This was first reported by Hold Security on Tuesday August 5th. and it has been picked up even by the mainstream press and media outlets. A Russian criminal organization has amassed a huge trove of 1.2 billion user names and passwords. This could be all of them, folks, so it might be a good time to go through your online accounts and change them ALL! Wish I was kidding, because I have way over 100 to do myself. Maybe it’s time to give KeePass or RoboForm a try.
It appears that this group started by purchasing lists online that are known as Rainbow Tables in the trade. (Pot of gold at the end of the rainbow table?) Once they had a few good passwords, they broke in to as many web servers as they could and extracted more databases of user and password credentials. In many of these databases the passwords were “hashed” or encrypted, by by comparing them to the Rainbow Tables they already had, and by using Dictionary, Hybrid, and Brute-Force password cracking software that can be found online, they grew their list and added it to the Rainbow Table.
They weren’t fussy either, not just major financial or e-commerce website were hit, they basically attacked any web site that they found in their growing list of credentials, including some small sites with poor or simple security. They cast a wide net and took anything they could find. So in this case, some itty-bitty club site where you are a member with maybe one hundred other people may have been breached too.
It is unclear what they intend to do with this information, if they are going to use it themselves, or simply sell the information others. Because so many little sites were hit, it is also unclear how current these passwords are, although with the prevalence among users of reusing the same password across many sites, this could be a pretty good score.
So the big question is are you at risk? Have your passwords been stolen? Hold Security will be offering a service where you can sign up and they will notify you if your passwords are in the list.
As I mentioned in an earlier post, crimes such as this one are pretty much spelling the end of the password era altogether. But for the meanwhile, you need a password that is ten characters or longer, and the longer the better, and unique for every site. Using two-factor authentication whenever it is offered is a smart play, too
Here are a couple of other articles that go deeper on this particular breach.Share