One of the biggest cyber attacks ever has left millions of email users at risk from being hacked. 272 million email accounts have been compromised, with Russian hackers obtaining user names and passwords. Gmail, Yahoo and Microsoft mail users are all thought to have been targeted, although the majority of the hack appears to have hit Mail.ru accounts.
IT Security experts from ESET, MIRACL, Veracode, AlienVault, Imperva, Lieberman Software and Centrify provide insight:
Ondrej Kubovič, Security Specialist at ESET:
“According to information provided by Hold Security, it seems to be a yet another large data breach, the origin of which was not found amongst users. In similar cases, good password hygiene can help minimize the potential damage such as always using unique password for each account/service.
On top of that, users should also opt for two factor authentication, if provided by the given service. This adds another layer of protection for their account and data, making it harder for the attackers to make use of hijacked data.”
Brian Spector, CEO at MIRACL:
“There is a certain irony about such a stash of passwords being stolen on world password day, and it’s a sad reminder of just how vulnerable this type of security really is.
The underlying issue is that the username and password system is old technology that is not up to the standard required to secure the deep information and private services that companies and individuals store and access online today. In order to retain their customers’ trust, online services need to remove the password from their systems altogether, and implement rigorous authentication technologies.
For now, anyone with a Google, Yahoo, Microsoft or Mail.ru email account should change their password immediately, not only for their email account but also for any other website where they may have used the same password. Unfortunately, the truth is that most of us probably already have some sort of private information floating around on the dark web and as long as we use this outdated username and password system, we will be reading a lot more of these headlines.”
Paul Farrington, senior solution architect at Veracode:
“With increasing threats to both individuals and organisations, it has never been more critical to take a secure and direct approach to protecting passwords, through two-factor authentication security, and frequent scans of web applications. With cyber-attackers typically targeting the theft of money, intellectual property and / or our personal identities, this breach only serves as a further reminder of the upmost importance for businesses to ensure that sensitive data is safeguarded against cyber-criminals.”
Javvad Malik, Security Advocate at AlienVault:
“To find out if they’re affected, users could use a (reliable) lookup service like https://haveibeenpwned.com but even that isn’t really going to capture everything.
The main advice for customers is to not re-use passwords across different systems – so don’t use the same password you use for your email to access your online banking and Facebook etc. Investing in a password manager can help greatly. Also enabling 2FA wherever possible is strongly recommended. That way, even if someone has your id and password, they still can’t logon. Some sites also allow you to set alerts any time there is suspicious activity or a failed logon.”
Jonathan Sander, VP of Product Strategy at Lieberman Software:
“What’s notable about this 272 million strong batch of stolen user info is that it’s being offered at such a low price. The black market for stolen electronic information about people is like every other market and sees price fluctuations. In the past, records like these may have gone for up to $0.30 apiece. To see 272 million of them going for $1 means the prices for our data is falling, which may be seen as good news. As prices get lower and the skill needed to grab the data gets higher, then maybe we’ll see market forces fighting the bad guys for us.
The bad guys who are stealing our data have the same motivations as most of the organizations they steal it from – profit. The bad guys are just building a more and more complete spreadsheet about everyone on earth as they breach this site and that. This batch of 272 million records is only notable for being a rather large single dump of such data. They want to sell that information off, and the more complete a record is on a person the more value it has on the black market. These shadowy folks will also often use data from one breach to power another. If they find a username and password on one site, they will try it on many others in case people are using the same one over and over like many people do. If they learn a birthday or anniversary, they check if that is a pin code or other type of passcode since so many use those things for that purpose.
After years of headlines every day about breaches, the everyday users who are going to let that scare them into good security practices have already done so. If you’re one of those people and you already use different passwords for different sites, practice safe browsing, and are suspect of any email that looks “phishy,” then you have little to fear from this news. If you operate a website where even a small chuck of this data may have been culled from and you have not yet adopted basic security measures to protect that information you hold, then maybe it’s time you realized that to make a database this large they had to hit everyone they could – maybe even you. Many feel they’re too small to be a target, but no target is too small when you’re goal it to take every scrap you can get and throw it into a pile this large.”
Chris Webber, Security Strategist at Centrify:
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.