Russian Hackers Probably Know Your Passwords


Holy crap:

A Russian crime ring has amassed the largest known collection of stolen Internet credentials, including 1.2 billion username and password combinations and more than 500 million email addresses, security researchers say.

The records, discovered by Hold Security, a firm in Milwaukee, include confidential material gathered from 420,000 websites, ranging from household names to small Internet sites….At the request of The New York Times, a security expert not affiliated with Hold Security analyzed the database of stolen credentials and confirmed it was authentic.

So far, says the Times, the Russian hackers are mostly using the information “to send spam on social networks like Twitter at the behest of other groups, collecting fees for their work.” I guess that counts as good news, all things considered, though obviously that could change quickly. Here’s how the Russian gang did it:

They began as amateur spammers in 2011, buying stolen databases of personal information on the black market. But in April, the group accelerated its activity….Since then, the Russian hackers have been able to capture credentials on a mass scale using botnets — networks of zombie computers that have been infected with a computer virus — to do their bidding. Any time an infected user visits a website, criminals command the botnet to test that website to see if it is vulnerable to a well-known hacking technique known as a SQL injection, in which a hacker enters commands that cause a database to produce its contents. If the website proves vulnerable, criminals flag the site and return later to extract the full contents of the database.

“They audited the Internet,” Mr. Holden said. It was not clear, however, how computers were infected with the botnet in the first place.

By July, criminals were able to collect 4.5 billion records — each a username and password — though many overlapped. After sorting through the data, Hold Security found that 1.2 billion of those records were unique. Because people tend to use multiple emails, they filtered further and found that the criminals’ database included about 542 million unique email addresses.

I guess I really should get started on my annual password-changing exercise. Or maybe get a password manager, which I’ve resisted so far for reasons that may not really be that compelling. Or, alternatively, just forget the whole thing except for a very few sites that pose a real threat if hacked. I mean, do I really care if someone gets the password to my LA Times account? What good would it do them? Unfortunately, even on a fairly narrow reading of “real threat,” I come up with nearly a couple dozen sites. That’s still a lot of passwords to change.

IT'S NOT THAT WE'RE SCREWED WITHOUT TRUMP:

"It's that we're screwed with or without him if we can't show the public that what we do matters for the long term," writes Mother Jones CEO Monika Bauerlein as she kicks off our drive to raise $350,000 in donations from readers by July 17.

This is a big one for us. It's our first time asking for an outpouring of support since screams of FAKE NEWS and so much of what Trump stood for made everything we do so visceral. Like most newsrooms, we face incredibly hard budget realities, and it's unnerving needing to raise big money when traffic is down.

So, as we ask you to consider supporting our team's journalism, we thought we'd slow down and check in about where Mother Jones is and where we're going after the chaotic last several years. This comparatively slow moment is also an urgent one for Mother Jones: You can read more in "Slow News Is Good News," and if you're able to, please support our team's hard-hitting journalism and help us reach our big $350,000 goal with a donation today.

payment methods

IT'S NOT THAT WE'RE SCREWED WITHOUT TRUMP:

"It's that we're screwed with or without him if we can't show the public that what we do matters for the long term," writes Mother Jones CEO Monika Bauerlein as she kicks off our drive to raise $350,000 in donations from readers by July 17.

This is a big one for us. So, as we ask you to consider supporting our team's journalism, we thought we'd slow down and check in about where Mother Jones is and where we're going after the chaotic last several years. This comparatively slow moment is also an urgent one for Mother Jones: You can read more in "Slow News Is Good News," and if you're able to, please support our team's hard-hitting journalism and help us reach our big $350,000 goal with a donation today.

payment methods

We Recommend

Latest

Sign up for our free newsletter

Subscribe to the Mother Jones Daily to have our top stories delivered directly to your inbox.

Get our award-winning magazine

Save big on a full year of investigations, ideas, and insights.

Subscribe

Support our journalism

Help Mother Jones' reporters dig deep with a tax-deductible donation.

Donate