Record-breaking data breach reveals serious flaws in security

In what appears to be the biggest data breach ever, a Russian gang reportedly has stolen 1.2 billion user names and passwords and more than 500 million email addresses from 420,000 websites.

The scale of the attack and the fact that it comes after multiple reports of previous cyber assaults raises significant questions about the security practices of thousands of companies around the globe and puts at risk the financial and personal information of a significant fraction of the planet’s population.

This sounds all too familiar — weakly secured sites, preventable vulnerabilities that aren’t patched,” said Mark Bower of Cupertino-based Voltage Security. “Yet more evidence the bad guys are winning big at consumers’ expense.”

The breach was discovered by Hold Security of Milwaukee, which could not immediately be reached for comment by this newspaper. But according to the New York Times, the security firm didn’t name any of the victimized websites because of nondisclosure agreements with those sites or because the host companies remain vulnerable.

“They targeted any website they could get, ranging from Fortune 500 companies to very small websites,” Alex Holden of Hold Security told the Times. “And most of these sites are still vulnerable.”

Hold drew criticism late Tuesday when it reportedly posted a notice on its site offering to let companies know if their site was affected by the breach for “as low as $120″ a month. The company quickly took down the notice. The Times said it asked for an analysis of the database by an outside expert, who confirmed its authenticity. The Times also said Hold had a history of revealing major hacking attacks.

While there is little evidence so far of any financial losses from the breach, experts say the Russian thieves might be able to access bank accounts and other valuable information.

Despite repeated and increasingly devastating cyber attacks, experts say companies are still not taking the steps to bolster their networks against hackers and protect the data they gather from consumers or other sources. They advise companies to establish layers of security measures, which not only try to prevent crooks from getting into their networks but also monitor them when they’re inside, divert them to nonessential data and otherwise limit what they take.

“It’s frustrating,” said James Pleger, head of research for San Francisco security firm RiskIQ. “It’s not an issue of it being unsolvable. People just need to be more accountable to users and take ownership of their users and protect them. That’s really the takeaway of this.” In many instances, he added, “it’s negligence.”

Pierluigi Stella of Houston-based security firm Network Box USA was similarly critical.

“We’re playing with fire, underestimating the importance of security, although we continue to talk about it as something beyond vital,” he said. “At the end of the conversation, there’s always someone asking about costs and slashing budgets.

Robert Capps of Sunnyvale security firm RedSeal Networks noted that storing data online has become less expensive in recent years, “allowing every company on the planet to amass information about consumers in a cost-effective way,” he said. “Sadly, not all companies are equipped to manage the security practices required to protect this data. The results are evident in the daily news stories of cybercrime, fraud and data breaches.”

In January, retail giant Target disclosed that thieves stole payment card and other information from at least 40 million of its customers, costing the company close to $1 billion and prompting the resignation of its CEO. In April, government authorities said they were investigating the criminal sale of Social Security numbers, bank account data and other personal information for up to 200 million U.S. citizens after a breach at the subsidiary of credit-reporting giant Experian. And the so-called Heartbleed bug has exposed a flaw in the software used to encrypt sensitive information on nearly two-thirds of all websites. But the breach identified by Hold Security appears to be the biggest to date.

Instead of selling the stolen records online, the culprits seem to be using the information to send spam on social networks like Twitter on behalf of other crooks, the Times reported. Noting that Hold Security has determined the hackers include fewer than a dozen individuals from a small city in south central Russia, the newspaper said the gang has been around since 2011, buying stolen databases of personal information on the black market. Then, more recently, it said the crooks began stealing information with botnets, networks of computers they’ve taken over and can command to do whatever they want.

By July, the newspaper said, the crooks had amassed 4.5 billion records — each a username and password — though many were duplicates. After further analysis, Hold Security determined that 1.2 billion of the records were unique and contained 542 million email addresses.

With the information they stole, the crooks “can access bank accounts or steal identities,” as well as siphon confidential intellectual property from companies, said Eric Chiu of Mountain View security company HyTrust.

While a credit card can be easily canceled, email addresses, Social Security numbers or passwords can be used for identity theft. Nonetheless, most consumers can greatly minimize the chances of having their information stolen, said Jeremy Gillula of the Electronic Frontier Foundation.

“If people follow the best practice of not using the same password on multiple sites, you really can limit your exposure — even if there is a huge data breach,” he said.