Massive Russian cyber breach suggests traditional passwords are ‘useless’

By Erin Ayers on August 8, 2014

With the reports of a massive attack on consumer and business privacy and some 1.2 billion unique credentials stolen by a Russian hacking gang, experts say the traditional method of username and password to secure sensitive online details may need to evolve.

Hold Security, a Milwaukee-based firm, revealed earlier this week that it detected evidence of a Russian gang, which the firm called “CyberVor,” that had collected over 4.5 billion records, about 1.2 billion of which seems to be unique. The data correspond to over half a billion email addresses. The security firm estimated that the gang had to have invaded over 420,000 websites and servers. The revelation, which was provided initially to the New York Times, constituted seven months of research, according to Hold Security.

“The gang acquired databases of stolen credentials from fellow hackers on the black market,” said Hold Security in a statement on its website. “These databases were used to attack e-mail providers, social media, and other websites to distribute spam to victims and install malicious redirections on legitimate systems. Earlier this year, the hackers altered their approach. Through the underground black market, the CyberVors got access to data from botnet networks (a large group of virus-infected computers controlled by one criminal system).”

Hold Security didn’t respond to Advisen inquiries for more details, and the firm’s announcement was met with some skepticism from many security professionals. Hold Security is relatively unknown and the announcement came in the form of an exclusive report to a major media outlet during the same week as Black Hat USA, the largest gathering of security professionals in the country.

After all, 1.2 billion email addresses represents about half the global online population. Hold offered an illustration of those numbers by commenting, “4.5 billion credentials seems like an impossible number, but just think of how many sites require you to register your e-mail address and, let’s face it, almost everyone re-uses their passwords. So, it’s not hard to see how some of us could have been victimized more than once.”

The firm further explained that a “credential” consists of a user ID (typically an email address) and a password. Research showed that 1.2 billion unique pairs had been amassed by CyberVor.

“If we narrow it down by unique e-mail addresses, we still have over half a billion records since there may be multiple password corresponding to a single e-mail address. Not all of them are valid or current. Some people use fake e-mail addresses, in other cases the CyberVor gang might have stolen credentials that belonged to an e-mail address that you no longer have (i.e. something you used with your previous employer) or a password that you haven’t used for over a decade, or even a default password automatically assigned to you by a website. Yet the sheer number of credentials can potentially open a door to many systems and accounts,” the firm said.

As for Hold Security’s report, Brian Krebs, a well-known security journalist who runs the blog “Krebs on Security,” helped to verify the research. Krebs is also listed as a member of the firm’s advisory board.

“Alex [Holden, Hold Security’s founder] isn’t keen on disclosing his methods, but I have seen his research and data firsthand and can say it’s definitely for real. Without spilling his secrets or methods, it is clear that he has a first-hand view on the day-to-day activities of some very active organized cybercrime networks and actors,” said Krebs in a post on his blog.

Others affirmed that this immense data breach was expected by security researchers for quite some time.

‘Pretty Enormous’ Consequences

“I think it’s a credible report. We had a strong suspicion that mega data breaches were going to happen because of the Russian hacking,” Dr. Larry Ponemon, founder of the Ponemon Institute, told Advisen. The consequences of the attack are “pretty enormous,” he added.

“These kinds of events suggest that traditional passwords are completely useless,” he said.

Much of this information could be used to simply send “spam, spam and….oh, spam,” said Krebs, adding, “Junk email is primarily sent in bulk using large botnets — collections of hacked PCs. A core component of the malware that powers these crime machines is the theft of passwords that users store on their computers and the interception of credentials submitted by victims in the process of browsing the Web. It is quite common for major spammers to rely on lists of billions of email addresses for distributing their malware and whatever junk products they are getting paid to promote.”

However, Ponemon told Advisen that much more “nefarious” actions could occur, especially if a hacktivist group gets its hands on the information.

“There’s a lot of stuff that can sit in an email that you wouldn’t want made public,” he said, adding that more “creative” methods of authentication need to be developed, citing biometrics and multi-factor authentication.

“These hackers, especially the Russian syndicate, are very, very smart and know how to get to this information,” said Ponemon. “It’s a sad state of affairs. With the war against cybersecurity, we’re not winning.”

However, he added, “We’re already starting to see the emergence of some great technology and tools. There have been major leaps in terms of technology.

Effort to Evolve

The U.S. government has been a catalyst for some of those technologies. The National Institute of Standards and Technology (NIST) operates a program called the National Strategy for Trusted Identities in Cyberspace (NSTIC), dedicated to improving the “Identity Ecosystem,” according to spokesperson Jennifer Huergos. NSTIC promotes the development of technology to provide alternatives to the username/password combination, working with such firms as, which offers what it calls a “single-sign-on solution” to more securely manage data online.

“We clearly cannot remember passwords, we’re just not set up for them,” Huergos commented. Consumers or businesses could instead choose to partner with a group they trust to handle their information.

“You get to choose who has what information about you,” she told Advisen. “It gives people some protection from having their information everywhere.”

NSTIC awarded several grants for firms working in the area of securing cyberspace last year and has another round planned for this fall.

“By focusing attention on it, we can bring in different people and act as convenor,” Huergos said. “We can get the conversation going.”

Security Now

Ponemon told Advisen the likelihood of bringing out those responsible for the breach is slim, as it represents not just one hack, but “many, many hacks — many, many times.”

“Once the info is stolen, it’s gone forever,” he said. And while the release of the information might prompt skepticism to some, it could also provide a “wake up call to smaller business with an internet presence.”

Ponemon said he advocates more efforts to withstand these types of attacks with tougher security. There’s a cost associated with moving toward multi-factor authentication or biometrics, but businesses need to make that change.

According to Erin Nealy Cox, executive managing director for Stroz Friedberg’s global incident response practice, the potential impact of the breach means most businesses and consumers should take steps to secure their information.

“If the numbers are to be believed, 1.2 billion covers most of the developed world,” she told Advisen. It might be tempting and customary practice to use one password for every log-in, but “you should resist doing that,” Cox said. Smartphone password “vaults” with dual factor authentication have become increasingly available, secure and popular, she noted.

Companies should also examine any external-facing websites they have and grant access on a need-to-know basis. Best practices also suggest a mandatory password change every 60 or 90 days, which might cause grumbles from employees, but it’s a must to prevent vulnerabilities and mitigate the extent of damage in the event of an attack.

“Security’s always going to come with a price of convenience to the users,” Cox said. “As these events are more publicized, hopefully, this awareness will come with better security for everyone. I think that the silver lining is that there’s more public awareness of the problem.”'

Erin is the managing editor of Advisen’s Front Page News. She has been covering property-casualty insurance since 2000. Previously, Erin served as editor-in-chief of The Standard, New England’s Insurance Weekly. Erin is based in Boston, Mass. Contact Erin at [email protected].