Russian hackers have stolen 1.2 billion user name and password combinations in what could be the biggest ever data theft, hitting big name websites “in virtually all industries across the world” according to a US security firm.
Hold Security, based in Milwaukee, says a ‘Cybervor’ gang stole the information from 420,000 web and FTP sites.
The information is said to relate to half a billion email addresses and is a stark reminder that marketers can’t skimp on tech areas like security and testing in the rush to launch online services- potentially putting valuable customer data at risk.
The New York Times reports that so far it appears little of the information has been sold to other online criminals.
Instead, it says it is being used to send marketing pitches and junk messages on social networks such as Twitter.
‘Users will not know their computer is being hacked’
Hold Security claims the gang used a botnet, a network of infected computers controlled by a hacker, to identify weaknesses in websites that people visited.
Users typically do not know their machine is being manipulated by a botnet.
“The botnet conducted possibly the largest security audit ever,” says Hold Security on its website, which says it spent seven months researching the alleged breach.
“Over 400,000 sites were identified to be potentially vulnerable to SQL injection flaws alone. The CyberVors used these vulnerabilities to steal data from these sites’ databases. To the best of our knowledge, they mostly focused on stealing credentials, eventually ending up with the largest cache of stolen personal information, totaling over 1.2 billion unique sets of emails and passwords.”
Hold Security says the Russian gang targeted every site visited by an infected botnet machine and did not differentiate between well-known sites and smaller ones.
The company has not named the sites that were affected but says the list “includes many leaders in virtually all industries across the world, as well as a multitude of small or even personal websites”.
Hold Security has a history of uncovering major hacking attacks and previously uncovered a large data theft from software company Adobe.
What this means for marketers- keeping customer trust with a data security strategy
Tips from the Digital Training Academy:
• Create secure passwords that use mixed case letters and numbers Best practice is to change them regularly so if there is a security breach you are not aware of, then over time the organisation is naturally protected.
• Only give access to the services people need, and if tools like a website CMS have different levels of access (such as those for people who write vs the editor vs the administrators) then fully apply the functionality.
• If developers use simple passwords such as “admin” or back doors to services before launch then these passwords and loopholes should be removed at launch.
• Someone in your organisation should own cyber security.
• Organisations should look at super-password solution tools that manage access for teams rather than relying on each manager having to remember a complex list.
• Well-funded organisations should have standards and guidelines in place to align their agencies behind best practice.
• Cyber security teams should have a process in place for testing their networks, an approach that often uses “ethical hackers” to identify weaknesses
Read the Hold Security announcement here