Russian Cyber-Criminals Amass 1.2 Billion Passwords

This was first reported by Hold Security on Tuesday August 5th. and it has been picked up even by the mainstream press and media outlets.  A Russian criminal organization has amassed a huge trove of 1.2 billion user names and passwords.   This could be all of them, folks, so it might be a good time to go through your online accounts and change them ALL!  Wish I was kidding, because I have way over 100 to do myself.  Maybe it’s time to give KeePass or RoboForm a try.

It appears that this group started by purchasing lists online that are known as Rainbow Tables in the trade.  (Pot of gold at the end of the rainbow table?) Once they had a few good passwords, they broke in to as many web servers as they could and extracted more databases of user and password credentials.  In many of these databases the passwords were “hashed” or encrypted, by by comparing them to the Rainbow Tables they already had, and by using Dictionary, Hybrid, and Brute-Force password cracking software that can be found online, they grew their list and added it to the Rainbow Table.

They weren’t fussy either, not just major financial or e-commerce website were hit, they basically attacked any web site that they found in their growing list of credentials, including some small sites with poor or simple security.  They cast a wide net and took anything they could find.  So in this case, some itty-bitty club site where you are a member with maybe one hundred other people may have been breached too.

It is unclear what they intend to do with this information, if they are going to use it themselves, or simply sell the information others.  Because so many little sites were hit, it is also unclear how current these passwords are, although with the prevalence among users of reusing the same password across many sites, this could be a pretty good score.

So the big question is are you at risk?  Have your passwords been stolen?  Hold Security will be offering a service where you can sign up and they will notify you if your passwords are in the list.

As I mentioned in an earlier post, crimes such as this one are pretty much spelling the end of the password era altogether.  But for the meanwhile, you need a password that is ten characters or longer, and the longer the better, and unique for every site.  Using two-factor authentication whenever it is offered is a smart play, too

Here are a couple of other articles that go deeper on this particular breach. 

Larry Magid at Silicon Valley News

Martin Williams at PCWorld


About the Author:

I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.