back to article Hacker crew nicks '1.2 billion passwords' – but WHERE did they all come from?

Russian hackers have amassed the largest ever cache of stolen website passwords – 1.2 billion, it's claimed – by swiping, one way or another, sensitive data from poorly secured databases. A network of computers quietly hijacked by malware, and controlled from afar by the gang, identified more than 420,000 websites vulnerable …

Page:

  1. frank ly

    Recent Spamstorm

    Is this why, for the past month, I've ben hit by "Online Rx 35% discount" spam, sometimes four a day?

    I've used a particular yahoo email address as a 'sign up' address for various things over many years. I think it's time to get a new email address and migrate all my 'serious and useful' accounts over to that.

    1. Anomalous Cowturd
      Joke

      Re: Recent Spamstorm

      Not just me then?

      Apparently, penis enlargement pills and slimming aids are what I need.

      Strange, as the only fat part of me is my cock!

      1. Anonymous Bullard
        Windows

        Re: Recent Spamstorm

        Those pills don't even work :(

    2. Dan 55 Silver badge
      Unhappy

      Re: Recent Spamstorm

      My disposable address for PayPal has just started receiving spam. Bodes well I guess.

  2. Bear
    Pirate

    Huge arctic fox

    That is a huge arctic fox!!!

    These guys have really industrialised cracking. It would be interesting to know more about the stolen credentials - for example length and complexity. This would assist is knowing what needs to be done to fix this...

    1. I ain't Spartacus Gold badge
      Happy

      Re: Huge arctic fox

      That gives me an idea for some new spam. Sod penis enlargement pills, they're old hat.

      Try my new password enlargement pills. Guaranteed to work every time.

      1. Destroy All Monsters Silver badge

        Re: Huge arctic fox

        LOL 419

        "Hold Security is already capitalizing on the panic"

        The biggest problem, as Forbes's Kashmir Hill and The Wall Street Journal's Danny Yadron have noted, is that Hold Security is already capitalizing on the panic, charging a $120-per-year subscription to anyone who wants to check if their name and password are on the list. Hold says it's just trying to recoup expenses, but there's something unseemly about stoking fears of cybercrime and then asking concerned citizens to pay up. It also gives Hold a clear incentive to lie to reporters about how large and significant the finding is.

  3. Suburban Inmate

    Can someone please explain

    Why the flaming flatulent fuck are SQL injections still a thing? I'm not a coder or web tech, but isn't there even an automated tool to check one's servers? If the bad guys found this stuff...

    1. Paul Crawford Silver badge
      Unhappy

      Re: Can someone please explain

      Cheap outsourced coding monkeys?

      Graduates not taught about security and made to run automated tests for it?

      Web sites developed by consultancy then never updated?

      Developers wanting (or being told to by PHB) to prioritise shiny over robust?

      I don't know really, but those are my semi-educated guesses.

      1. NogginTheNog

        Re: Can someone please explain

        "Graduates not taught about security and made to run automated tests for it?"

        All your points are good, but teaching security from the outset to developers, and then companies that employ them insisting that the concept is baked in to EVERYTHING they write, would be a big big big big big improvement.

        1. Stoneshop
          Flame

          Re: Can someone please explain

          teaching security from the outset to developers, and then companies that employ them insisting that the concept is baked in to EVERYTHING they write

          The biggest problem is that developers rarely face the consequences of shoddy programming; not even getting called at oh-dark thirty when the application they've cobbled together shits itself and falls over.

          I've got several solutions to this problem, the severity of which can be selected according to whether it's some application that just should do something mundane in the back of a datacentre, or a large, internet-facing setup that carries sensitive data, but I fear that the UNCHR, Amnesty and the RSPCA will object.

    2. LucreLout

      Re: Can someone please explain

      "Why the flaming flatulent fuck are SQL injections still a thing?"

      Sadly most people that call themselves a professional developer have all the professionalism of of a five dollar relationship.

      I've worked with some astoundingly well paid developers with 5+ years experience, who really have no excuse for insecure code, but for whatever reasons, they prefer to piss about with whatever they read on someones bogcast the night before rather than doing their job properly. This behaviour is tolerated because most technical managers aren't sufficiently technical that I'd let them program my TiVo.

      SQL Injection has been around rather longer than a decade though el Reg. It was widely known back in the dot com days, so you can pretty much guarantee its at least 20 years old now.

      1. John H Woods Silver badge

        Re: Can someone please explain

        "This behaviour is tolerated because most technical managers aren't sufficiently technical that I'd let them program my TiVo."

        Indeed - the problem is that, however much we like to think it, IT isn't generally a profession - it's a job. You can't practice law, medicine, accountancy or electrical contracting without appropriate qualification / certification. Surely it's about time that people developing (and I include their managers) internet-facing systems which contain personal data are properly regulated.

        1. Anonymous Bullard

          Re: Can someone please explain

          I've worked with plenty of idiots who'd be out of work if you had to go through some type of certification.

          Sure, they're experienced... but experienced at writing the same shit for the past 10 years. If I mentioned SQL Injection to them, they'd think it was a jab you need when visiting India.

          This industry is already short of workers (apparently), reducing the workforce numbers and increasing wages would cripple it. Companies would rather have a crap developer than none (or an expensive one).

          1. Anonymous Coward
            Anonymous Coward

            Re: Can someone please explain

            That's funny, I was thinking the same thing about the paper tigers ("certified" devs) I've had to work with over the years. They act like they don't need to pay attention to anything as soon as they have that cert to hang on the wall.

        2. Hargrove

          Re: Can someone please explain

          @ John H. Woods

          Implementation of the Federal Information Security Management Act (FISMA) has resulted in an extensive program for certification here in the good ole USofA. Billions have been spent on developing platoons, brigades, divisions and armies of expert specialists certified to accredit systems as meeting information assurance/security standards. Unfortunately what they are certified experts in is the administrative process that systems have to go through to be certified. Programs are accredited to operate not on the basis that they are actually secure, but on the basis that they have gone through the process and produced the required documentation.

          The common denominator is that nobody. . . but nooooobody, in the process know f#@k-all about structured programming and proper software engineering.

          A major contributor to this dismal situation is that having to rely on third party proprietary software that is updated by vendors on a weekly basis makes trying to do sound systems engineering and exercise in futility.

          Damn I miss Fortran.

          1. Someone Else Silver badge
            Meh

            @Hargrove -- Re: Can someone please explain

            Unfortunately what they are certified experts in is the administrative process that systems have to go through to be certified. Programs are accredited to operate not on the basis that they are actually secure, but on the basis that they have gone through the process and produced the required documentation.

            Reminds me of the FDA (the U.S. Food and Drug Administration, for readers on the East side of the pond)...you don't have to prove that your medical product is actually safe and effective, all you have to do is prove you followed a documented process that is expected to result in a product that is safe and effective.

            Damn I miss Fortran

            You had an upvote from me until I read that. Remember, "You can write FORTRAN in any language". (That is usually meant as an epithet; in your case, you'd probably take it as a compliment...or even a goal to be achieved. To each his own, I guess....)

    3. CaptainBanjax

      Re: Can someone please explain

      I suspect rushed deadlines are the problem. That and vulnerabilities seem to be found at a rate quicker than sys admins can patch.

      I also suspect that pentesters are generally lacking in resources. Ive recently been hired to fix a number of problems on the back of a pentesting report only to find they totally missed some serious vulnerabilities such as BEAST and Heartbleed.

      All I got was a generic skiddie report that listed the various versions of daemons that were in use with no recommendations. I think its because pentesters are afraid of getting sued and/or having their balls handed to them if they stumble across something that could accidentally cause some downtime. Whitehats enjoy a world of restrictions, red tape, payment that doesnt fit the importance of their work and execs that panic at the slightest of issues.

      With the rates that pentesters currently get id be suprised if they can afford decent legal advice. This means they have no protection against flaptastic middle managers and execs. Therefore if they expose a serious problem its court time to get them to shut up.

      The world needs solid pentesters. Lift the red tape, dish out some money and lets get on with fixing things.

      Until then pentesters are powerless and the blackhats will always win. At the moment the clear winners of the hacking arms race are the blackhats.

      There are plenty of tools being released all the time demonstrating vulnerabilities, but not as many that plug them.

      1. Roo
        Devil

        Re: Can someone please explain

        "I suspect rushed deadlines are the problem."

        SQL injection is easy to fix using parameterized queries, they are widely supported and have been around for a long time. It really doesn't take much effort to write the code correctly in the first place in this instance, the most likely reason for SQL injection vulns are ignorance and lack of care.

        "That and vulnerabilities seem to be found at a rate quicker than sys admins can patch."

        That is a fact of life that is unlikely to change. :)

        1. Vic
          Childcatcher

          Re: Can someone please explain

          SQL injection is easy to fix using parameterized queries, they are widely supported and have been around for a long time.

          Mostly...

          I was writing some Python[1] a while back, and it required DB access - we were using MySQL.

          The first library I tried - the "recommended" one - claimed that MySQL doesn't support prepared statements[1], so the library didn't try.

          The second library I tried claimed to support prepared statements - but looking through the code, it simply did string substitution, so there was no protection against SQL injection whatsoever.

          So whilst SQL injection *should be* a thing of the past, it's not entirey the fault of developers that read documentation; in some circumstances, the library developers are making claims that are simply untrue :-(

          Vic.

          [1] I ended up re-writing the code in perl; the problems went away :-)

    4. TeeCee Gold badge

      Re: Can someone please explain

      Easy and also why passwords are still stored in clear.

      1) Thing gets built yonks ago.

      2) Time moves on, front end (customer facing bit) gets updated with more gloss.

      3) SQL injection vuln / lack of hashed passwords / etc gets spotted by techy types who raise issue.

      4) Project types ask which business unit is sponsoring / paying for costly changes to fix.

      5) Nobody on the business side will pay for changes as it's not their problem / has no business benefit and the changes get descoped from this update.

      Repeat 3 through 5 ad infinitum.

      A known side effect of the "start with the business case" approach to software development is that technical and security fixes never get done, as the only people that give a shit about this sort of thing have no budget to make the changes.

  4. Shannon Jacobs
    Holmes

    This is why "Live and let spam" is EVIL

    As long as it's profitable, the spammers will continue to develop their business models.

    Hey, here's a stupid idea. Why doesn't one of the big email services provide really effective anti-spammer tools? Integrate them into the email system so we can help break ALL of the spammers' infrastructure, pursue ALL of the spammers' accomplices, and help out ALL of the spammers' victims? Yeah, I know the spammers' human victims are idiots that need to be protected from themselves and the corporate victims are mostly EVIL, but still... Less spam would still make the Internet more valuable for all of us.

    Or perhaps more to the point, wouldn't it be more valuable to you if you had an email system that the spammers feared? It could be done, but "Live and let spam" remains the dominant business model.

    1. Mark 85

      Re: This is why "Live and let spam" is EVIL

      Why? Simple really.. what you're suggesting would cost money and thus profit.

    2. Allan George Dyer

      Re: This is why "Live and let spam" is EVIL

      "the spammers' human victims are idiots" - We're all victims of the spammers. You admitted it yourself when you said the Internet would be more valuable with less spam.

      Also, unlike the meat product, email spam is not homogeneous. Anyone who falls for the penis enlargement stuff is pretty gullible, but I'm seeing a lot of "purchase order in the attachment/link" that is aimed at installing malware or grabbing the victim's credentials. I'd think it would be quite easy for a busy order clerk to click without realising the danger, especially if they are worrying about losing the order.

      Anyone who produces a "really effective anti-spammer tool" is going to find the spammers adapt to avoid it quickly.

      But, in this case, I'm impressed by how well these scumbags have audited the internet, and simultaneously surprised at how badly they have monetised and secured their ill-gotten gains.

  5. Anonymous Coward
    Stop

    These hackers are monsters!!

    NOOOOOOOOO!!!!!! Not my Hello Kitty Online password!!!

    (More seriously, its a pretty huge indictment of current info security that good ol' SQL injection can still net so many victims.)

    1. LucreLout

      Re: These hackers are monsters!!

      "More seriously, its a pretty huge indictment of current info security that good ol' SQL injection can still net so many victims"

      I work with a 'professional developer' who in all seriousness told me last week that "Cross site scripting is a thing of the past" and that it didn't matter if his code was vulnerable to it because the browser would protect him.

      What software development needs, and has needed for over 20 years, is a world wide regulatory body ensuring minimum professional standards of behaviour in the industry. One that has enough teeth to ensure that if your code is junk, you're out of the industry.

      1. Anonymous Bullard

        Re: These hackers are monsters!!

        Or just giving them a print-out of the OWASP top 10 (and a long wait) would be a good start.

        1. FlatSpot
          Devil

          Re: These hackers are monsters!!

          Although SQL injection exploits have been known for a long time, even the OWASP doesn't seem to mention UTF8 Multibyte character exploits on its top ten list.

          Whats required are some very solid security templates to be able to build sites, without the weight or steep learning curve of a full framework. Plus some good penetration tools that aren't ££££ks to buy!

        2. LucreLout

          Re: These hackers are monsters!!

          "Or just giving them a print-out of the OWASP top 10 (and a long wait) would be a good start."

          Amusingly, or not, I had to explain to the same guy that OWASP exist and why it might be useful if he stopped messing about with cutting edge guff and learned the corner stones of his profession instead. Unsuprisingly, it fell on deaf ears.

          We need a regulator. I know it means some people will be bounced out of the profession, but for the good of the industry, it has to happen. Costs might go up in the short term, but think of the productivity boost if you didn't have to pick up after hapless coders that don't know the basics.

          1. Anonymous Coward
            Meh

            Re: These hackers are monsters!!

            Unfortunately, a real regulatory/professional qualification regime would never happen. There are too many companies who would rather have cheap IT than good IT, too many people in the industry who would run afoul of a lack of qualifications and too many former hard-core techies who have been bumped up to management/exec ranks and would be embarrassed to admit that their technical qualifications have gone by the wayside as they climbed the ladder.

      2. Mpeler
        Pint

        Re: These hackers are monsters!!

        "...it didn't matter if his code was vulnerable to it because the browser would protect him."

        A classic case of Douglas Adams's Someone Else's Problem Field:

        The Somebody Else's Problem field is much simpler and more effective, and what's more can be run for over a hundred years on a single torch battery. This is because it relies on people's natural disposition not to see anything they don't want to, weren't expecting, or can't explain.

        1) They don't want to see it, because it would involve more work, time, expense, etc., and it would probably need to be justified to the PHB & co.

        2) They weren't expecting it, because they were relying on the browser (which was likely coded with similar SEP attributes).

        3) They can't explain it, because of 1 and 2 ....

        Sometimes I think it's an insidious plot to keep maintenance programmers and security/AV firms in business, and growing....

        On the other hand, if companies can spend so much time and $$ on trainings for SOX (Sarbanes-Oxley) and "keeping company infos secret", they can certainly (or at least SHOULD) be able to afford a class or two on information security (for the users) and safe coding practices ("hey, where are you going with that buffer")...hmm...combine the two....safe SOX for programmers....might at least improve signup rates...

        It would be nice to have an updated version of "The Elements of Programming Style" (by Kernighan and Plauger) for all developers (and their managers) to study. "The Elements of Style" (Strunk and White) would also be useful, especially for those tasked with documenting said programs/code/what-have-you.

        Do it right; don't do it twice....

      3. Someone Else Silver badge
        Thumb Up

        @ LucreLout -- Re: These hackers are monsters!!

        What software development needs, and has needed for over 20 years, is a world wide regulatory body ensuring minimum professional standards of behaviour in the industry. One that has enough teeth to ensure that if your code is junk, you're out of the industry.

        How about instead a world wide regulatory body ensuring minimum professional standards of behaviour in the industry; one that has enough teeth to ensure that if your code is junk, the fatasses who hired you are out of the industry?

        If the fatass PHB know-nothing profit-über-alles class actually had some skin in the game, then they'd be more interested in hiring engineers (note, I pointedly did not say "coders"!) who actually knew a flying fuck about what they were supposed to be doing, and the dumbasses would leave the industry for lack of work.

        Darwin was right!

  6. The Morgan Doctrine

    That's the trouble with playing defense only

    The Morgan Doctrine is the only answer to this sad state of affairs. Period.

  7. tom dial Silver badge

    Iit is indeed inexcusable that so many sites fail to sanitize their input, but it would be of interest to know how many of the claimed 420,000 from which data was pilfered failed to salt and hash the passwords. Their developers warrant far harsher treatment than those who only were sloppy about input editing.

    1. Pascal Monett Silver badge

      I'm guessing that, in a majority of those 400k+ cases, the website is for a small company and the developer is also responsible for procurement, storage, sales and maybe even marketing, because he's alone or with maybe an associate.

      Also, they probably operate under the assumption that they're too small to interest anybody.

      1. Richard Cranium

        @ Pascal Monett:

        "I'm guessing that, in a majority of those 400k+ cases, the website is for a small company..."

        True but a small minority of 400k is still a lot and the article says "... included Fortune 500 organizations..." and there are only about 50,000 stock exchange listed companies globally so the 400k could (hypothetically) include all of them.

        Maybe the biggest risk is from things like the vast number of insecure blogs that people sign up to in order to comment. The blog owner won't have a clue about SQL injection but in any case may take the view that for just posting comments to his blog security isn't a big concern. It's common practise to use a common login (email) & password for those and that could be used to aggregate everything an individual had posted anywhere and build a useful identity theft profile for example. And some users will have used the same login credentials for more significant sites/services...

        1. This post has been deleted by its author

  8. Pen-y-gors

    Practical action?

    As noted above, couldn't one or all of the main e-mail providers do something?

    Lately several of my sites have been getting hit by form spammers - these usually involve links to compromised websites that host their crap. Could not Google/Yahoo/Microsoft at least use their spam filtering system to identify sites that appear to have been compromised (often small sites running wordpress as far as I can tell!) and send email to the site owner (based on DNS records) to alert them to the fact? Then everyone might start tightening things up.

    1. Mpeler
      Mushroom

      Re: Practical action?

      It's almost as bad (or unbelievable) as the US post office staying (somewhat) afloat due to junk mail. One of my email providers has a semi-effective spam filter, but offers a much better spam filter, erm, for a slight fee (as noted frequently on their login page).

      Hmm, pay 3 euro a month for no ads and a proper spam filter, and get neither....LOADS of ads on the login page, and gobs of spam which I manage to get around with filters (which I have to change on a weekly basis). IMAP is my friend...the email vendors aren't....

    2. Richard Cranium

      Re: Practical action?

      The problem for mail filters is that it can be very difficult to distinguish spam from "good". Indeed we, as individual recipients, aren't good at it. For example I had a double opt-in * bulk newsletter mailing list of a few hundred and despite following all best practise I'd still find one or two recipients labelling it as spam rather than use the unsubscribe link in the email # or on the web site.

      * double opt in is where after requesting to be added to the list a "please confirm" message is sent to that email address, if the recipient doesn't acknowledge they they'll not be added to the mailing list

      # some advice is NOT to unsubscribe by clicking a link in the email because if it was spam you've just confirmed to the spammer that the address is live and actively used.

      The fix for form-spam is in the hands of the guys whose form it is. They need to use good validation of the input - a form validator I've used in the past with some success is from tectite.com

      I have met people who assure me their ISP has really good spam filters, they never get any junk. That's worrying. Spam filtering is not an exact science, zero junk implies a high probablility of false positives. There is a risk of some "good" email being wrongly flagged as spam for reasons like inclusion of a trigger word like the name of a medication gentlemen may find beneficial in connection with their relationships with ladies. It's 99.999% certain indicator of spam but there remain 0.001% of legitimate use in emails, perhaps a correspondence between an individual and a medical professional.

      1. Chemist

        Re: Practical action?

        "who assure me their ISP has really good spam filters"

        I use Plusnet, their filters work very well in my experience. False positives are non-existent, false negatives depend on the type of spam. Attachments with zip files are always spotted, links to dodgy sites not so good.

    3. Trygve Henriksen

      Re: Practical action?

      you're kidding, right?

      Hotmail and Google at least, have even removed the X-originator line from email headers, so it's now F! impossible to track it back to the sending PC, Open proxy or VPN service.

      The only way these days, to find the spambots is to set up a dummy forum and log the IPs of new registrations.

  9. chivo243 Silver badge
    Unhappy

    Thanks for the Carrot

    I read the story to at least see a short list of sites compromised! I don't have a lot of web accounts, but will start the process of a mass pw change...

    Thanks for the story, but more info is what we all came to see.

  10. Smart-ti-Pants

    Have NSA / GCHQ been knocked off the podium?

    Respeckski!

    1. Paul Crawford Silver badge

      One could well ask what NSA/GCHQ has done to protect us. They should have known of such insecurities, so are either incompetent at their jobs (unlikely), view the protection of consumers against such scams as beneath them, or have such a warped paranoid world-view that maintaining hacking capabilities is more important than actually protecting us (most likely).

      1. Anonymous Coward
        Anonymous Coward

        "...so are either incompetent at their jobs (unlikely)..."

        Open to debate surely, given the breadth of subject matter of the files Snowden managed to hose.

      2. Anonymous Coward
        Anonymous Coward

        One could well ask what NSA/GCHQ has done to protect us.

        Or one could also wonder what they have already protected us from that we don't know about? Most security is behind-the-scenes. In the days when Belfast was suffering from car bombs & similar incidents, the ones that went off were the ones that slipped through the net, a much larger number were stopped before they became a real problem. Of course those ones never made the BBC News.

        Security is a thankless task.

      3. Anonymous Coward
        Anonymous Coward

        @ Paul Crawford

        Unfortunately, what we have learned from the Snowden leaks is that there is a good chance that the NSA/GCHQ knew about these vulnerabilities and didn't do anything about them, because it gives them an avenue to penetrate some of these corporations/websites when they want to.

        "Hey, section leader. I've found that you can perform a SQL injection attack on (insert large global airline)'s reservations website and retrieve usernames and passwords. What should we do?"

        "Hmmm, let's just keep that knowledge in-house for now. There must be tens of thousands persons of interest that use that site, and the intel value of knowing where they are going and when they are leaving has real intelligence value."

  11. Boothy
    FAIL

    Use of email addresses as usernames

    I really wish they (whoever they are!) would ban the use of email addresses as user names, and simply let people pick a username instead.

    I can understand sites (sometimes) needing to have an email address for confirmation of the account, or notifications, but that should just be a field you fill in when you sign up, not something used as a login itself!

    1. FlatSpot
      FAIL

      Re: Use of email addresses as usernames

      But that also provides an attack vector, as it allows a hacker to determine valid usernames as you would have to check if the username was already in use during the login/signup process.

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like