In August, a Russian cyber gang obtained what security researchers called “the largest cache of stolen data." Now, those hackers may be putting pilfered passwords to criminal use.
Hold Security first offered details on the theft of 4.5 billion records, including 1.2 billion usernames and passwords that correlate to over half a billion e-mail addresses. Dubbed "CyberVor" -- vor means thief in Russian -- by Hold Security, the group apparently hacked more than 420,000 Web sites to get "such an impressive number of credentials."
“The CyberVors did not differentiate between small or large sites,” the firm explained in a blog post. “They didn’t just target large companies; instead, they targeted every site that their victims visited. With hundreds of thousands sites affected, the list includes many leaders in virtually all industries across the world, as well as a multitude of small or even personal Web sites."
Hacker Strategy Exposed
Now, Namecheap, a domain name registration site, is reporting that hackers have started using the stolen list to try to access its user accounts. The company issued an “urgent security warning” in the form of a blog post on Monday.
According to Namecheap, its intrusion detection systems alerted the firm to a “much higher than normal load” against its login systems. When the company investigated the issue, IT learned the username and password data gathered from third-party sites was being used to try to access Namecheap accounts.
“The group behind this is using the stored usernames and passwords to simulate a Web browser login through fake browser software,” the firm reported. “This software simulates the actual login process a user would use if they are using Firefox/Safari/Chrome to access their Namecheap account. The hackers are going through their username/password list and trying each and every one to try and get into Namecheap user accounts.”
The Really Bad News
According to Namecheap, most of the login attempts failed because the data was outdated or incorrect. Nevertheless, the company is “aggressively blocking” the IP addresses it believes are logging in with the stolen password data.
Namecheap is also logging the IP addresses and plans to export blocking rules across its network to completely eliminate access to any of its systems or services. On top of all that, the company is handing over the files to law enforcement. Then came the bad news.
“While the vast majority of these logins are unsuccessful, some have been successful,” the company said. “To combat this, we’ve temporarily secured the Namecheap accounts that have been affected and are currently contacting customers involved requesting they improve the security for these accounts.”
Namecheap may be the first to report a hack but it may not be the last. We caught up with Gerry Grealish, CMO of cloud security software firm Perspecsys, to get his take on the issue. He told us at the core of data control is ensuring sensitive and regulated data is encrypted.
“If organizations can do this correctly, they will be the sole owner of encryption keys, so if someone without proper access to their data attempts to access it, the information will be rendered meaningless,” he said. “Alternatively, organizations can use a technique like tokenization, which ensures that all sensitive data remains locked in a secure database inside a firewall.”