Russian password hackers aren't that scary

7 reasons not to panic about the Russian password hackers

Here are some fun headlines that would perfectly set up the plot of a summer spy movie…

You could even say the film was “based on a true story.”

An American cybersecurity firm called Hold Security revealed last week that “fewer than a dozen [Russian] men in their 20s who know one another personally — not just virtually” have access to a trove of 4.5 billion username/password combinations. They also have more than 540 million email addresses. The New York Times had an independent expert verify the data’s authenticity.

Get the popcorn

In a blog post titled “YOU HAVE BEEN HACKED!” Hold Security called it “arguably the largest data breach known to date.” But it’s not really clear this is a big deal.

Partly that’s because Hold hasn’t shared a lot of information, including how they got the data or who the victims are. (It says it doesn’t want to name companies that are still vulnerable to hacking — but that horse has left the barn.)

It also admits that only 1.2 billion of the records are unique, and that not all of them are current or valid. Some are fake email addresses people use to avoid spam. But hey, they came up with a cute name for the Russian password hackers: The CyberVors.

Sounds like something that eats data, and vor is Russian for thief.

“Do not panic! Try to strategize,” Hold’s post says — right before sharing information about all the security services they offer. But there’s not much to panic or strategize about. Here’s why you should just sit back and enjoy the spectacle…

1. You never visited most of the hacked sites

“Hackers did not just target U.S. companies, they targeted any website they could get, ranging from Fortune 500 companies to very small websites,” Hold Security founder Alex Holden told The Times.

Hold’s blog post says “420,000 web and FTP sites” all around the world were affected, but that the hacking group didn’t differentiate between small or large sites. “A multitude of small or even personal websites” were hacked.

2. The hackers bought a lot of their data

“They began as amateur spammers in 2011, buying stolen databases of personal information on the black market. But in April, the group accelerated its activity. Mr. Holden surmised they partnered with another entity, whom he has not identified, that may have shared hacking techniques and tools,” The Times says.

As PCWorld points out, “It’s unclear how many credentials they bought and how many of the 1.2 billion they culled themselves. Without that information, it’s hard to know how fresh — and hence how valuable — the stolen data is.”

But we already know only 1.2 billion of 4.5 billion records were unique, which means the CyberVors could have bought the same data four times over, or stolen some of the same data they later paid for.

3. The security company is trying to sell you stuff

“This is the worst kind of news, spare on details and causing a panic without offering a solution. Oh wait, but there is a solution! You can pay ‘as low as $120’ to Hold Security monthly to find out if your site is affected by the breach,” wrote Forbes’ Kashmir Hill.

She’s referring to a new “Breach Notification Service” that Hold Security’s blog post points to, but there’s also a forthcoming (“within the next 60 days”) identity monitoring service you can pre-register for. The company also timed the CyberVor announcement to coincide with an annual hacking conference, according to The Times…

The disclosure comes as hackers and security companies gathered in Las Vegas for the annual Black Hat security conference this week. The event, which began as a small hacker convention in 1997, now attracts thousands of security vendors peddling the latest and greatest in security technologies. At the conference, security firms often release research — to land new business, discuss with colleagues or simply for bragging rights.

That’s not to suggest that this mass of stolen data isn’t a problem, or that Hold Security is being dishonest. But the reporting makes it clear this has been going on since at least April, and if the company felt comfortable sitting on the information until the timing was good for business, the hack probably doesn’t warrant the more breathless coverage it’s getting.

4. The hackers aren’t selling the data

“Instead, they appear to be using the stolen information to send spam on social networks like Twitter at the behest of other groups, collecting fees for their work,” The Times says. But they’d make more selling the data to identity thieves — if they had data worth selling.

Since they’re not doing that, it’s reasonable to think they don’t have valuable data — probably in large part because they bought data that’s already been sold to other parties, and old passwords people changed after the last major hacking scare.

With a good password identity theft is more rare, but we can make you more secure.

5. The passwords may not even be exposed

Another possibility for why the hackers might not be selling the data is that it could be encrypted, which is standard operating procedure. Even strong passwords are useless if the website they’re used on saves them as plain text.

Lifehacker has a great post explaining how websites store passwords, and says, “[Plain text] is the worst possible method, in security terms, and most reputable web sites do not store passwords in plain text.”

There are various types of encryption, some easier to crack than others. The best-case scenario is that CyberVor has 1.2 billion locked boxes it can’t find the keys for. But more likely, it has a mix of boxes — some transparent tupperware, some padlocked chests, and some industrial safes. And the tupperware has probably already been raided by others, or contains passwords so old you can can see the mold growing on them.

6. It’s not something you can prevent

This hack isn’t really about your personal security, it’s about business security. The hackers weren’t guessing your password. They’re using a technique called SQL injection — think of it as code equivalent to spy-movie truth serum — to force websites to dump the contents of databases into their hands. It’s a common hacker tactic that people just learning how to code websites are warned about.

“Hackers have been using the attack for more than a decade, and any security professional would know to protect against it,” says The Verge. “Most comparable hacks (Target, Adobe) involved extensive research and multistage hacks that were tailored specifically to that company, much more sophisticated attacks than the one Hold describes.”

The sites that aren’t prepared for SQL attacks probably aren’t sites that would have much useful data anyway, unless you make the rookie mistake of using the same password everywhere. In that case, your Spotify password is just as good as your bank password and you should fix that.

7. Best practices make passwords worthless

If you take the proper precautions with your logins, your data is as safe as it’s gonna get and you’re completely useless to Russian hacker punks. If you don’t care, you’re going to get hacked eventually. Either way, nobody is very worried.

It’s the people who aren’t sure what they should be doing who are stuck with the stress. Here’s how to get rid of it:

  • Use 2-step authentication where available. Some sites use your phone to add an extra layer of security. You enter your password, then you have to type in a verification code that is texted to you at that moment. Lifehacker has a list of popular sites that offer this service, along with how to enable it.
  • Don’t recycle passwords. That means have a unique password for each website (even if it’s a variation of the same one) that you never use again.
  • Create complex passwords. The longest mix of numbers, symbols, uppercase and lowercase that you can remember. Length and unpredictability are the most important factors.
  • Change passwords regularly. How often is up to you. More is better for security, if not your sanity.
  • Get a password manager. If you do this, the last three tips only apply to one password. A password manager is software that keeps track of all your logins so you don’t even have to know what the passwords are — except the one to that program. Even the free version of LastPass will save you a lot of hassle, and you can get unlimited mobile access for $12 a year.
Posted in: News, Tech
Tagged with: