News broke late Tuesday that Russian hackers have acquired over one billion username and password combinations, the largest known collection of stolen Internet credentials. It’s a massive number, when you consider that there are 2.9 billion Internet users in the world, and it’s highly likely that many of us have at least one affected account.
How many people have been affected?
It’s difficult to say. We know that a total of 1.2 billion unique username and passwords were stolen, but that doesn’t mean that 1.2 billion people were affected—that’s because many people may have each had multiple account credentials stolen.
We also know that the stolen credentials were linked to over 540 million email addresses, which might be a better measure of the number of people affected. However, some people use fake email addresses, and some email addresses may be out of service. So there’s still a fair amount of uncertainty in the number of people who may have an account or two that are hackable.
But the sheer number of credentials could open the door to many more attacks. And 1.2 billion accounts isn’t a number to sneeze at. It means 1.2 billion internet users’ accounts could theoretically be accessed by a hacker at any time.
Who stole all these usernames and passwords?
The group responsible is a crime ring based in a small city in south central Russia, the region between Kazakhstan and Mongolia, according to a New York Times report. The men who did the stealing are in their 20s, know each other personally (not just online) and there are fewer than a dozen of them. Security experts have dubbed the group “CyberVor,” with “vor” meaning “thief” in Russian.
Who finally figured out this was happening?
A cybersecurity firm called Hold Security discovered the hack. The company has a good track record discovering big data breaches, identifying a large data breach at Adobe Systems in October 2013, and tracking the Target breach in December.
How did the Russian hackers manage to get this much private information?
The hackers used networks of infected computers (known as a botnet) that had a computer virus to scour the Internet for vulnerable websites. Whenever a user on an infected computer visited a website, the computer tested the website to see if it was susceptible to hacking. If it was, the criminals flagged the website, and returned later with a hack called an SQL injection, which reproduces the website’s database contents.
“The botnet conducted possibly the largest security audit ever,” said Hold Security in its blog post.
Will you know if your passwords have been stolen?
There’s a good chance you won’t know if your passwords were taken as part of this heist. If you discover that someone has logged into your account, that’s not a good sign, but it’s unlikely that’d happen.
What are the hackers doing with the passwords?
As of now, the criminals have not sold many of the records online, and instead are giving the information to third parties to send spam on social networks like Twitter. They’re then collecting fees for their work. So far, it doesn’t appear to be a complete disaster for Internet users, but it leaves a lot of people very vulnerable.
What should you do now?
It’s probably a good idea to change your password now. And if you use the same passwords for multiple websites—don’t. Reusing passwords is not a good idea because it makes it that much easier for hackers to get into many of your accounts and access key information like your credit card data. Security experts recommend regularly changing your passwords anyway.
“Individuals should get in the habit of changing their passwords, sort of like doing taxes,” said Carl Herberger, vice president of the security firm Radware. “Time decays any security measure you have in place.”