Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Botnet Crime Privacy Security

Alleged Massive Account and Password Seizure By Russian Group 126

New submitter Rigodi (1000552) writes "The New York Times reported on August 5th that a massive collection of stolen email passwords and website accounts have been accumulated by an alleged Russian "crime ring". Over 1.2 billion accounts were compromised ... the attack scheme is essentially the old and well known SQL injection tactic using a botnet. The Information has been made public to coincide with the Blackhat conference to cause a debate about the classic security account and password system weaknesses, urging the industry to find new ways to perform authentication. What do Black Hat security conference participants have to say about that in Vegas?
This discussion has been archived. No new comments can be posted.

Alleged Massive Account and Password Seizure By Russian Group

Comments Filter:
  • by Anonymous Coward

    what is the use of accumulating a billion passwords if you already can sucessfully hack into the systems to steal them?

    • Re:big whoop (Score:5, Informative)

      by Joe Gillian ( 3683399 ) on Wednesday August 06, 2014 @10:18AM (#47613819)

      The use is that you now have a database of 1.2 billion passwords that can be fed into a brute force cracker and used to make "educated guesses" to crack passwords.

    • Re:big whoop (Score:5, Interesting)

      by wonkey_monkey ( 2592601 ) on Wednesday August 06, 2014 @10:44AM (#47614071) Homepage

      a) Because hacking isn't just a case of having access to everything or nothing. What if you can only hack the password database, but you can't hack the system that those logins are used for?

      b) Because, lazy as people are, you now have some very likely candidate email/password combinations to try on all the systems you can't hack into.

    • Because if you can hack into a system and get a billion passwords, you can sell those to "interested parties" for a penny each and retire.

      • User name: poiuyt, password:qwerty; Back in the day, circa 2001 I was involved in a failed get-rich scheme called poiuyt.com [archive.org] and we would be hammered with Email confirmations for people signing up at other sites using the above credentials and @poiuyt.com for an Email Address. There would be everything from free tech sites to for pay porn, I always managed to resist destroying the online reputations of these fools, but just barely. If that is the "quality of the creds the Russians have filtched then it's p

    • by TWX ( 665546 )
      With proper credentials on this scale, you can make subtle changes that don't set off any red-flags to create your profit, and it may take years for the scale and scope of your meddling to really be determined.
  • Is this me? (Score:4, Funny)

    by chinton ( 151403 ) <chinton001-slashdot AT gmail DOT com> on Wednesday August 06, 2014 @10:17AM (#47613813) Journal
    Or is the hacker that stole my /. credentials writing this post?
    • Re: (Score:2, Insightful)

      by cdrudge ( 68377 )

      How do we know they are mutually exclusive of each other?

      • Re:Is this me? (Score:4, Informative)

        by LordLimecat ( 1103839 ) on Wednesday August 06, 2014 @01:25PM (#47615257)

        Courts have ruled that it is not possible to steal something from yourself, so they are mutually exclusive.

        • by cdrudge ( 68377 )

          Are the credentials to a website property of the website? Or of the user?

          Or, if you steal the complete password file/database/whatever of a site, and your password is one of the many you obtained, is that considered a stolen password still?

        • by Lotana ( 842533 )

          What if I suffer from Multiple Personality Disorder and that other fucker stole my wallet and hid it where only he knows where it is? Are you saying I can't sue the bastard?

        • You wouldn't believe the amount of time that I've stolen from myself . . .

  • by the eric conspiracy ( 20178 ) on Wednesday August 06, 2014 @10:18AM (#47613817)

    Come on man

  • Hold on a second.. (Score:5, Interesting)

    by jbmartin6 ( 1232050 ) on Wednesday August 06, 2014 @10:22AM (#47613861)
    Of course, the company which reveals this offers a $120/month breach notification service [holdsecurity.com] so they have a strong incentive to exaggerate. I'm not saying we should immediately discount these claims but let's make sure our grain of salt is in there.
    • by s.petry ( 762400 ) on Wednesday August 06, 2014 @11:28AM (#47614477)

      That, and the loose use of numbers to make it look "skeery". Cracklib has a few million entries (add up all of the languages), and for years people have been accumulating pre-made hashes in numerous formats. I can hash "password" in CRYPT, MD5, SSHA, SSHA2, etc.. and now my 1 word has become at least 4 entries. The top 25 used passwords has now become "hundreds" of passwords. Surely that is an exaggeration, but it's not exactly a lie.

      I block way more brute force attacks out of China and the Middle East than I do Russia, but in all cases it is the same tools and methods.

      To claim that this is all the work of some mastermind criminal group in Russia is simply laughable propaganda, and ignores the fact that hackers have become global enterprises. It's easy for them to share data and tools, and they _do_ share data and tools. It's not like drug cartels that have to produce a commodity that requires land and manufacturing equipment (and people). There is more benefit for two hacking groups to share data than their is for two drug cartels to share turf. I'll guess that there are still some turf wars, but not nearly the same as with drug cartels.

      The only part I can agree with in TFA is that people don't know how to make strong passwords, and often lack the incentive to change their passwords frequently enough to stay ahead of the hackers. That's not a problem with Russia, but I'm sure this can result in yet another round of sanctions.

      • by mlts ( 1038732 )

        I would place the blame less on intruders in general, the same way that I don't blame the bears (no comparison intended) at a park for getting tame and getting garbage due to tourists feeding them.

        I point the finger at the generally sorry state of computer security since the early 2000s where a number of companies could get by with "security has no ROI" as a mantra... and so far, there has been little to no long term consequences long term (other than to the end users with ID theft issues) fo

        • by s.petry ( 762400 )

          You don't need something like Google Authenticator to be secure. A strong 8 character password changed every 60 days would suffice. A hacker can know your account, but statistically speaking they would not be able to crack your password by the time you had a new password. Longer passwords are better, obviously, but should still be changed periodically to prevent a brute force attack from succeeding over time. It should go without saying that a Government would have additional processing power and could

          • You don't need something like Google Authenticator to be secure. A strong 8 character password changed every 60 days would suffice. A hacker can know your account, but statistically speaking they would not be able to crack your password by the time you had a new password.

            Statistically speaking this would work, but it is possible that of all the brute force attempts the cracker tries in that 60 day window, one of them is your password. One correct guess and they have the account. Plus this is a pain in the ass to change passwords every 2 months. Use at least 10 characters.

            • by s.petry ( 762400 )

              I agree, and pointed out that it's a statistics issue. No system is perfect, but to have several "strong" passwords is more secure in my opinion than having all your eggs in a single (Google Auth) basket.

              • Oh I absolutely agree on the importance of several passwords. I really don't like these centralized authentication systems or password keepers. It may be the height of paranoia, but if I'm going to the trouble of making up all these multiple strong passwords, why would I then put them all in one location? That's one system to compromise to get the keys to all my accounts.

                Really the issue is the inability to remember multiple passwords for the average person (or the inability to want to remember them). I

                • by s.petry ( 762400 )

                  Really the issue is the inability to remember multiple passwords for the average person (or the inability to want to remember them).

                  Well, there is another statistics issue to consider then. Lets say you use math as your password, like "N=6*24/tan(lb)". Nice strong 14 character password right? If you changed N to I, you have changed your password enough to defeat a brute force attack and only changed 1 character of your password. It's not like a computer can brute force the last characters, or the first characters. The brute force crack needs to break the "Whole" password.

                  Extend the same statistics problem, and if you use "lb" for b

          • by mlts ( 1038732 )

            I will agree on that count: If I had an AIX machine that was configured to lock out an account until it gets manually reset (i.e. permanently if there are no people on site or can log in) after 3-5 wrong accesses, an eight character password changed every two months would be good enough.

            However, locking down in this manner will bring up issues, be it denial of service attacks (an ex-employee does this to lock all staff out on a Friday, or a salesperson before his big presentation.) Other ways may not help

            • by s.petry ( 762400 )

              Wait. Why would you need an AIX box or even permanent lockout? Answer: You don't need any such thing.

              Native Unix LDAP supports time duration locking, it does not have to be permanent, and works with all NSS_LDAP libraries. I have run Servers of all types and Linux clients of all flavors (AIX, Solaris, HP-UX, RHEL, Ubuntu, etc..) and never had to permanently ban accounts for well over a dozen years (Early implementations were not as good as later, but still worked very well).

              The majority of server side se

    • You mean:

      #1 Set up a website with 1.2 billion accounts.
      #2 Have Russian hackers crack your website.
      #3 Proclaim: "We have a list of 1.2 billion accounts that were compromised by Russian hackers. Pay us $120 if you want to know if you're affected."
      #4 Profit!

    • From the TFA:
          At the request of The New York Times, a security expert not affiliated with Hold Security analyzed the database of stolen credentials and confirmed it was authentic.

      • Yeah, the paper that broke the story, claims that they had "a security expert not affiliated with Hold Security" that they refuse to name, verify that the database exists.

        Sounds to me like Hold Security, paid the New York Times to plant a story that is really an advertisement, who in turn paid a fake security expert to come up with a predetermined conclusion.

    • by Phusion ( 58405 )

      Yeah, I hadn't read the source article until today. I chuckled a bit when they mentioned the services they offer that could help mitigate this threat.

      I'm sure several companies that have monitoring, pen-testing and other paid services are spooging their pants right about now. I'm sure that the story is legitimate, they may not be exaggerating, just letting their readers know that for a price, they're here to help :)

  • Bears repeating (Score:2, Insightful)

    by MikeRT ( 947531 )

    For those inclined to make moral equivocations between the NSA and the Russian government, both do what the NSA got caught doing. The difference is that the US Government would have the FBI kicking in this gang's door with a SWAT raid if they were Americans, whereas Putin is probably chuckling right now if he's reading about this.

    • Not sure I get what you are saying... Is it that Putin is sitting in his easy chair, munching caviar, laughing about "those crazy kids", and that he is above instructing his former colleagues at the FSB to check things out? What are we supposed to base Putin's indifference (or altruism) about this purloined user data? The lack of a Russian Snowden? Absence of evidence is not evidence of absence.

      • Putin's in his Dacha, kickin' back with a vodka and some roe, laughing as the kickback payments accumulate in one account and the kneebreakers make lists of delinquents to visit in another.

    • If the NSA now wanted to apologize their domestic spying with "but the others do it too", we should get off the high horse of "we're the shining beacon of freedom in this world", too.

      Have your cake or eat it. Either you're entitled to doing what the crooked states do, or you are entitled to look down your nose at them. Choose. You can't have both.

      • I think "Superpower" status includes the ability to have both. Because hypocrisy doesn't matter if you're big enough that you don't have to care what other people think.

        I'm pretty sure the U.S. passed that moral event horizon a long time ago.

        • Hypocrisy does matter. Unless you don't care that some people, usually from other countries, consider you a big enough asshole that they think it's allright to blow up a part of you.

          Because that's what an attitude of "I can be as much an asshole as I please 'cause nobody can do anything against it" entails: Someone finds a way to do something about it.

  • by Anonymous Coward

    Not a single mention of Windows in the article, only the term botnets which we all know is 99% Windows. The average joe needs to be educated that using Windows is dangerous, period. If they happy click in other OSs it's not impossible to get "infected", but it's certainly much more difficult. Period.

    However, on the exploitation side, it's not really a Microsoft issue. It's hipsters writing crappy code in all languages who don't have the raw programming acumen to avoid things as basic as sql injections.


    • The average Joe needs to be educated (by technology or the legal system) that his computer is his responsibility. You think people would stop clicking away any and all kinds of warning to see dancing bunnies if they had to use Linux or MacOS? If the latter had the 90% market share Windows enjoys today, we'd now have the same discussion with you complaining about how all those hipster Apple zealots are to blame for botnets.

      A system's security is the minimum of the capability of the system and the capability

  • by MoonlessNights ( 3526789 ) on Wednesday August 06, 2014 @10:52AM (#47614131) Homepage Journal

    How was this even possible? Passwords should NEVER be something you can steal since they shouldn't actually be stored as clear text (or even encrypted, for that matter).

    Hasn't it been common practice, for at least a decade, to store the passwords as a salted hash (using a unique salt for each user)?

    You shouldn't be able to steal a password since the site shouldn't have it.

    • Not if trick the end user into installing a key logger.
      I don't know if you work on PC's at all... I do. MOST people's computers are so heavily infected with malware that I don't even fix anything anymore. You bring your computer to me, I delete partitions, write 1's to every sector, then reinstall your OS. I've even started seeing boot sector viruses.

      • So, you think that the problem is that they compromised the site in order to phish the user into installing a keylogger? That would actually explain how they could get the passwords, no matter how they are stored on the server, so it is an interesting interpretation of the article.

        I still think that it is a harder sell since it requires tricking millions of users into installing an exploit and hoping that they all use the site. If you were able to pull this off, stealing their password for the target site

        • by Rich0 ( 548339 )

          I still think that it is a harder sell since it requires tricking millions of users into installing an exploit and hoping that they all use the site. If you were able to pull this off, stealing their password for the target site would be the least valuable thing you would have stolen.

          No, you get people to install a keylogger period. You might have to hack into some site to do it, or maybe you hack directly into their computers, or maybe you send them an email with an exploit, or maybe you purchase a banner ad and embed an exploit.

          If you install a "keylogger" (more likely a rootkit that captures everything in every form submission with URLs as well as keyboard input and probably a whole lot more) on somebody's computer, you get their usernames and passwords for every site that they use.

      • Keyloggers are certainly a popular way for collecting passwords on a malware-infected computer. Undoubtedly, some portion of this claimed collection would have been built off keylogging.

        The extortionists describing this password trove are claiming it was built by using compromised client computers to launch SQL injection attacks against servers where the computer's owner had an account. Such a strategy would allow the attackers access to injection vulnerabilities that are inaccessible to an unauthenticated
    • by Anonymous Coward

      Not a damn thing wrong with username password authentication.
      And you don't need two-factor authentication either (aka: govt and corps tracking your ass by your phone number for life).
      Although TOTP is ok for that where desired.

      The problem is with ADMINS who can't admin securely, and USERS who can't keep their box secure.
      And the sorry part about it is that keeping systems secure from crackers isn't that hard.
      I've been on the net for over 20 years and the only time any of my hundreds of systems were
      cracked is

    • by Anonymous Psychopath ( 18031 ) on Wednesday August 06, 2014 @01:50PM (#47615493) Homepage

      How was this even possible? Passwords should NEVER be something you can steal since they shouldn't actually be stored as clear text (or even encrypted, for that matter).

      Hasn't it been common practice, for at least a decade, to store the passwords as a salted hash (using a unique salt for each user)?

      You shouldn't be able to steal a password since the site shouldn't have it.

      It probably is hashes and not passwords. If they were the actual passwords, they'd be using them themselves instead of trying to sell them.

      • Thing is, AFAIK the hash is pretty useless by itself, so I wouldn't think the hashes would be salable. Besides, there are places that are run by people who don't know what they're doing who will store passwords in the clear. I suspect this every time I run into a length restriction on passwords (usually on financial sites, unfortunately).

        • It's not that there is really a length restriction in the database, it's just how the javascript they cut and pasted to verify the user input is set up, you really can't expect free javascript form Russian-hackers.ru to not have a few limitations.

    • We recently changed our Internet service with Swisscom (details unimportant, but it involved installing a different router). I received a letter in the mail confirming the user name and password in plain text. The password hadn't changed - it is the same one that I chose years ago when we originally selected Swisscom as our ISP. Which, of course, means that they have not hashed the password, but have stored it in a retrievable fashion.

      Now, this is fairly minor, because the password isn't good for much beyon

    • How was this even possible? Passwords should NEVER be something you can steal since they shouldn't actually be stored as clear text (or even encrypted, for that matter).

      Hasn't it been common practice, for at least a decade, to store the passwords as a salted hash (using a unique salt for each user)?

      You shouldn't be able to steal a password since the site shouldn't have it.

      The site doesn't have to have the creds to be able for them to be stolen, it only needs to acknowedge the creds are correct and your logged in.

  • by blackbeak ( 1227080 ) on Wednesday August 06, 2014 @10:52AM (#47614137)

    Because of the ever increasing amounts of internet insecurity, shills paid to push corporate/government agendas and rebuke/dismiss detractors, "sock puppet" and AI posters, overzealous copyright take-down operations, pay-only access to verified (ie: useful) information, spamming, spoofing, bandwidth throttling, spying, tracking, personal information gathering, legal constraints and considerations, over-suspicion of anyone not 100% politically "correct" or aligned with power, agenda based "news", "echo effect" search results, and probably some other stuff I can't think of right now, the internet is quickly losing it's ability to be much other than a channel for light entertainment.

    Has the internet hit it's nadir? It's probably only a matter of time before e-commerce fails in a major way due to these security leaks. And it may also be way too late to be useful in organizing any type of real grassroots socio-political change. Let's just go watch cute kittens on YouTube.

    • Gee, I just realized: How do I know that in 10 or 15 years cute kitten watching won't be linked to a mental disorder or something? Then, if my internet activity is ever reviewed, I'll be the worse for it! Damn! Even watching kitten videos isn't safe!
      • If watching cute adorable kitten videos is crazy, I don't want to be sane.

        Because, cute adorable kittens.

    • Far from its nadir at this point, but your post makes excellent points. It definately seems to be getting worse at an accelerating rate.

      At what point of security breakdown do online roles/uses become unusable...my guess is that the credit card folks have seen a significant falloff in use (and collection of fees) due to the constant capture of people's credit card numbers as an example - at some point that will become more pronounced.

      What is the point where enough people start clamoring for a "sec
      • The laws concerning internet security are in place, where we fail is executing them. As long as fines are petty change, security will be handled by accounting, not risk management.

        • by Rich0 ( 548339 )

          The laws concerning internet security are in place, where we fail is executing them. As long as fines are petty change, security will be handled by accounting, not risk management.

          Writing secure software is hard though. Sure, projects like Chrome do a much better job of it than your typical corporate process automation application does. But, even Chrome has a steady stream of discovered vulnerabilities.

          I think the password is the real weakness here. We really need to get away from having them at all. You should have a two-factor module that itself demands a password and does all the authentication. The thing is we can't have every website out there provide their own, because I d

  • by Anonymous Coward

    Just because something is written in the NYT does not mean it is true, I have seen no evidence to substantiate that claim

  • by Dave Whiteside ( 2055370 ) on Wednesday August 06, 2014 @10:56AM (#47614187)

    to change all your passwords
    use something like keeppass or lastpass


    • The article noted that many of the sites are still vulnerable to attack (and probably still being harvested of UserID/pword data).

      The Kee Pass (password manager) recommendation is probably the best - i.e. unique password for each website going forward.
    • Most people with Gmail accounts are not familiar with the "Last Activity" on the lower right. Clicking "Details" will bring up a list of the recent IP addresses that accessed the account. Unless someone logs in and changes your password, you can monitor for unauthorised account access by checking the location and address of recent logins. I monitor my account. Some people would have no clue someone is regularly logging in to capture info. It even shows when two are logged in at the same time. Try it.

  • by Anonymous Coward

    I'm Confused. If the hack is SQL Injection that would mean that the password were stored in clear text in the DB. Who the hell does that anymore?

    • You'd be surprised...

      But right afterwards is badly or not salted hashes, begging for a replay elsewhere. And that's still quite common.

  • Why is it I am hearing about this on Slashdot two days later than other news sites? I used to be able to count on breaking tech news to show up here first.


    • Because /. is an aggregator. It's Readers Digest, if you will. You come here for the news that are not so important to you, yet not unimportant enough that you'd want to miss them.

      If ITSEC is especiall interesting to you, I think you might read some pages focusing on IT security. Of course, you won't hear about the latest events in IT court there, or hear about some new SoC toys.

  • by Anonymous Coward

    This story seems to have no actual meat to it. They say that a lot of sites have been hacked, some big names, we knew this. Many sites are still vulnerable, we knew this. By not disclosing the sites you're making more people vulnerable, and it's bad for everyone. It's going to take something bad happening to someone to learn the importance of password security for themselves. Some people will never learn certain concepts unless they experience them for themselves.

  • Within the phrase 'Russian crime ring', the last two words are redundant?

  • What does an SQL injection have to do with the alleged weakness of username/password authentication?

    • by angel'o'sphere ( 80593 ) on Wednesday August 06, 2014 @11:53AM (#47614665) Journal

      With an SQL injection you possibly can fetch the password out of the DB.

      You would be surprised how many data bases for a certain business has a table called USERS with fileds like uname, real_name, email, password ...

      By simlly putting "something ; select password from USERS where uname = 'user'" you can enhance every input field of a website with the stuff behind the semi colon. Even if somehow you cause an error on the server it is possible that the html returned containes the password you are seeking.

      Or you add behind the semicolon " ; select * from Users sort by email first 1000" don't remember how 'paging works in SQL'. Replace the 'first 1000' with the approbriated statement.

      So instead of a list of items you are looking for on ebay, you have an additional bunsh of text at the bottom of the list holding an extract of the USERS table.

      • If you are using mySQL, it would be "Select * from Users limit 1000". If you are using Microsoft SQL Server, it would be "Select top 1000 * from Users".

      • And that only works with passwords but not with any other form of authentication?

        Actually, it's more likely that a well organized password database is more resilient against a replay attack than some half-baked solution that didn't get through a few decades of auditing.

        • Well, retrieving data, you should not be able to retrieve, that is done via SQL injection.
          Ofc there are plenty of auth methods where SQL injections won't help, except if you get write access to the DB.
          E.g. the server could send you a one time pin code to your mobile phone. But if I can change the phone number, it would sent it to me. Short enough time frame, I even could change it back to the old number and you won't notice easily.
          Right now SQL injections are mainly used to retrieve data.
          But consider I can

    • Yeah, it is an odd article.

      It seems like they are talking about 2 real problems:
      1) SQL injection (which could be solved by only using prepared statements)
      2) storing cleartext passwords on the server (which could be solved by storing as hash with per-user salt)
      Both of these techniques have been old hat for around a decade so the real news is that so many sites could apparently be compromised this way (of course, the entire article sounds invented, so who knows if that is even true).

      The "alleged weakness of

  • How many of those 1.2 billion passwords are "password"?
  • I worked on project at a telco a little under 10 years ago and much of the provisioning code was written in Moscow. I couldn't help but think even back then what would happen if Putin really got out of control. It was already apparent that he had overwhelming nostalgia for the CCCP. Sooner or later we'd be in some sort of conflict with him; was it really a good idea to allow this kind of software to go to a potential belligerent. Never mind code for financial and payment systems. Same with China. It probabl
  • This may be a hoax; but it is certainly not impossible for this sort of thing to happen.

    What governments and businesses need to know/do is:
    1) Understand that there is no such thing as ABSOLUTE security - every castle, system, etc can (arguably will) be compromised. The dilemma is whether the cost/effort needed to compromise the system is worth the reward/gain.
    2) They should only keep the essential information - don't keep what you don't need. Besides, what they don't store can't be stolen - in the long-ru

  • ...because Verizon can!
  • Looks like they have started selling email addresses. I just got email from multiple spam runs for my email addresses from:

    Spam does not bother me so much. But the first two email addresses do. They are my domain registrars. So they have my account information and could change my domain registration. Time to change some passwords.


"For a male and female to live continuously together is... biologically speaking, an extremely unnatural condition." -- Robert Briffault