An American cybersecurity company believes it may have discovered the biggest known data breach in history. The company alleges that a group of Russian cybercriminals they have been investigating for months is behind the theft of billions of passwords and other pieces of personally identifiable information. In total, the group stole 4.5 billion credentials, though many were duplicates, resulting in 1.2 billion unique pieces of information being stolen. The gang took information from 420,000 websites of all sizes, from well known sites to those of small mom and pop shops.
The cybercriminals are a group of about a dozen Russian men, according to The New York Times. The gang started out using small-scale spamming techniques in 2011 and were gaining most of their information through the purchase of stolen databases of personal data.
“The gang started by just buying the databases that were available over the Internet,” said Alex Holden, founder of the company that discovered the breach, in an interview with PCMag. “They used to be bottom feeders, buying at fire sales. Over time, they started buying better quality databases. It’s kind of like graduating from stealing bicycles to stealing expensive cars.”
Group graduates from spam to botnets
In April, the group started to change their behavior. The cybercriminals began to employ botnets to amass stolen credentials on a much larger scale. Using the botnets allowed the gang to automate the process of identifying websites with vulnerabilities and could work nonstop. Whenever an infected user would visit a website, the bot would automatically check to see if it was vulnerable to an SQL injection. The injection, a common tool used by hackers, would allow the criminals to force the site’s database to show its contents just by entering a simple command. Websites that were shown to have a vulnerability were flagged by the botnet and the hackers came back later to extract the site’s information. Ultimately, though, it was the use of the bot that brought the group down, as the security company was able to spot them from it.
The security company believes that the billions of pieces of stolen information were not obtained all at once, and most of the credentials were probably bought from other criminal networks. So far very few of the stolen records have been sold online, according to the Times, and the hackers have instead chosen to use the information to send spam messages on social media for other groups in order to collect fees. According to The Wall Street Journal, a number of cybersecurity experts have noted that a breach of this level points to a growing trend of malicious actors stockpiling large amounts of credentials over time and saving them for later use.
“Companies that rely on user names and passwords have to develop a sense of urgency about changing this,” said Avivah Litan, a security analyst at the research firm Gartner. “Until they do, criminals will just keep stockpiling people’s credentials.”
These types of large-scale data breaches highlight the need for companies to aggressively employ sophisticated cybersecurity defenses. Methods such as endpoint threat detection and response help businesses to have a clear picture of the risks facing their networks and receive actionable information on how best to defend against them. In this day and age, when massive data breaches are only going to happen more frequently, continuous endpoint visibility is essential for enterprise security. Keeping a constant eye on a company’s network allows for threats to be identified in real time, reducing the damage a data breach can do to a business’s reputation and bottom line.