360 million newly stolen credentials on black market: cybersecurity firm

BOSTON Tue Feb 25, 2014 6:36pm EST

A magnifying glass is held in front of a computer screen in this picture illustration taken in Berlin May 21, 2013. REUTERS/Pawel Kopczynski

A magnifying glass is held in front of a computer screen in this picture illustration taken in Berlin May 21, 2013.

Credit: Reuters/Pawel Kopczynski

Related Topics

BOSTON (Reuters) - A cybersecurity firm said on Tuesday that it uncovered stolen credentials from some 360 million accounts that are available for sale on cyber black markets, though it is unsure where they came from or what they can be used to access.

The discovery could represent more of a risk to consumers and companies than stolen credit card data because of the chance the sets of user names and passwords could open the door to online bank accounts, corporate networks, health records and virtually any other type of computer system.

Alex Holden, chief information security officer of Hold Security LLC, said in an interview that his firm obtained the data over the past three weeks, meaning an unprecedented amount of stolen credentials is available for sale underground.

"The sheer volume is overwhelming," said Holden, whose firm last year helped uncover a major data breach at Adobe Systems Inc in which tens of millions of records were stolen.

Holden said he believes the 360 million records were obtained in separate attacks, including one that yielded some 105 million records, which would make it the largest single credential breaches known to date.

He said he believes the credentials were stolen in breaches that have yet to be publicly reported. The companies attacked may remain unaware until they are notified by third parties who find evidence of the hacking, he said.

"We have staff working around the clock to identify the victims," he said.

He has not provided any information about the attacks to other cybersecurity firms or authorities but intends to alert the companies involved if his staff can identify them.

The massive trove of credentials includes user names, which are typically email addresses, and passwords that in most cases are in unencrypted text. Holden said that in contrast, the Adobe breach, which he uncovered in October 2013, yielded tens of millions of records that had encrypted passwords, which made it more difficult for hackers to use them.

The email addresses are from major providers such as AOL Inc, Google Inc, Microsoft Corp and Yahoo Inc and almost all Fortune 500 companies and nonprofit organizations. Holden said he alerted one major email provider that is a client, but he declined to identify the company, citing a nondisclosure agreement.

Heather Bearfield, who runs the cybersecurity practice for accounting firm Marcum LLP, said she had no information about the information that Hold Security uncovered but that it was plausible for hackers to obtain such a large amount of data because these breaches are on the rise.

She said hackers can do far more harm with stolen credentials than with stolen payment cards, particularly when people use the same login and password for multiple accounts.

"They can get access to your actual bank account. That is huge," Bearfield said. "That is not necessarily recoverable funds."

After recent payment-card data breaches, including one at U.S. retailer Target, credit card companies stressed that consumers bear little risk because they are refunded rapidly for fraud losses.

Wade Baker, a data breach investigator with Verizon Communications Inc, said that the number of attacks targeting payment cards through point-of-sales systems peaked in 2011. That was partly because banks and retailers have gotten better at identifying that type of breach and quickly moving to prevent crooks from making fraudulent transactions, he said.

In addition to the 360 million credentials, the criminals are selling some 1.25 billion email addresses, which would be of interest to spammers, Hold Security said in a statement on its website (bit.ly/1fo5fxx).

(Editing by Richard Valdmanis and Amanda Kwan)

FILED UNDER:
We welcome comments that advance the story through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can flag it to our editors by using the report abuse links. Views expressed in the comments do not represent those of Reuters. For more information on our comment policy, see http://blogs.reuters.com/fulldisclosure/2010/09/27/toward-a-more-thoughtful-conversation-on-stories/
Comments (6)
mkhunt wrote:
We are informed that Department of Homeland Security data will be atored by an un-named private company and we are asked to sign to allow any investigation of us deemed necessary… so will this data be protected. forbes article detailing the method by which the Post Office retails addresses is thought provoking. Data cannot be absolutely protected.

Feb 25, 2014 7:18pm EST  --  Report as abuse
Art16 wrote:
The world has become too enthralled with the advantages of digital cyberspace. The economics of continuing to pursue and expand its utility brings good return in the eyes of those so connected. The philosophy behind the primitive electron tube flip-flop now runs practically everything in vanishingly small solid state devices. Safe crackers, and old criminal profession, have turned to cyberspace to earn their ill-gotten living and just it shows that whatever a human creates, another human can undo, even now. It is too late to reverse our society and go back to paper. Only those responsible for the storage and use of sensitive data need to be made accountable for their lack of foresight to protect it. The lack of strict accountability, like punishment for those in charge, is the reason why we are suffering these outrageous thefts and the total breach of trust many depended upon in commerce.

Feb 26, 2014 2:37pm EST  --  Report as abuse
SKYDRIFTER wrote:
Can anyone see a better excuse to shut down the (current) Internet as a “National Security” risk?

That’s difficult to imagine; but look at the alternative.

Feb 26, 2014 4:02pm EST  --  Report as abuse
This discussion is now closed. We welcome comments on our articles for a limited period after their publication.