updated 12:00 am EDT, Fri August 8, 2014
Nearly 4.5 billion records in total collected, 542 million unique emails addresses
The New York Times reported earlier this week that a hacker group has collected 1.2 billion unique username and password credentials from 420,000 websites. The records, which were verified by a security firm, is thought to be one of the largest collections of Internet identity information reported. The publication had the data analyzed by another expert, who verified the authenticity of the collection but has not commented on the validity of the data.
Hold Security has been investigating CyberVor, the name the company gave the Russian cyber-gang collecting the information, for seven months. The company discovered that the collection of data contained 4.5 billion records, with 1.2 billion of them being unique login credentials. To be able to collect this much information, websites of all sizes were robbed across the globe, as well as databases being collected from the black market. A total of 542 million email addresses appear to be collected.
"Whether you are a computer expert or a technophobe, as long as your data is somewhere on the World Wide Web, you may be affected by this breach," said Hold Security. "Your data has not necessarily been stolen from you directly. It could have been stolen from the service or goods providers to whom you entrust your personal information, from your employers, even from your friends and family."
The security firm stated that it isn't sharing the names of any victims or companies listed in the collection. Hold Security says that not many of the records have been sold so far. Instead, some of the information is being used to conduct spam operations on social networks for a fee from other groups.
The company would be reaching out to any individual on the list in the next 60 days, as it kicks its Hold Identity services into gear. People curious to see if they are on the list can sign up on their own as well, for free and without commitment for 30 days. A verification process is required to be able to check, with up to 15 passwords checked per email address. Users will need to submit encrypted passwords to the company in order to check the records.
There is some doubt being placed on the circumstances of the information collected, including the company involved in the investigation. Hold Security is using the fear stirred up by the data collection to their advantage, allowing businesses to sign up for a service that issues breach notifications.
Forbes's Kashmir Hill points out the page for this service went up about the time the Times story broke. In an email to Forbes, Hold Security founder Alex Holden said the company is charging fees to recoup the costs of verifying ownership. Hill stated the fees were originally $120 a month, but Holden said that the fees will actually be $10 a month or $120 per year.
After the Wall Street Journal's Danny Yadron posted an article on the situation and pointed to the service on Twitter, the page was pulled temporarily. It's now back up.
It wouldn't be the first time that a company used panic to bring in sales, but the timing and details make it appear something is suspect. The hacking news seems awkward when combined with the sheer volume of information, as well as the unwillingness of Hold Security to disclose information, and the timing of its service launches.
In the article from The New York Times, it's said that the hacking group is based in a small town in central Russia within the region that is near Kazakhstan and Mongolia. The group, which is said to be less than 20 members strong, started in 2011 with spam. Even if the group has been collecting records since 2011, four billion records seem like an astronomical number to collect when there are only a small number of services that can boast user counts that high. Small numbers here and there certainly can add up over time though, especially if groups of information from large breaches like Target and Adobe are added in. It's quite possible that some or most of the data is outdated.
Russell Brandom at The Verge makes a lot of good points about some of the other issues with the data. He points out that the attack method, which is done with SQL injections from botnets, doesn't seem suited to collect information from large companies. Also, it isn't made clear if most of the information was purchased or gathered by the group. As Hold Security says on its website, the hacker group "eventually ended up" with the information, even though it focused on theft. Then there is the idea that the group is using the data for spamming, which means it could already have little to no value on the market.
Even if the data has no value, that doesn't mean the number of records should be ignored. It's still a good idea to change passwords, especially if any are older, weaker passwords used in more than one location, and for users to enable options like two-factor authentication when available.