Feedback
Tech

Just How Did Those Russian Hackers Steal a Billion Passwords?

Image: File photo illustration of a lock icon, signifying an encrypted Internet connection

The Department of Homeland Security did not identify the utility that was the target of a cyberattack. MAL Langsdon / Reuters

Reports that a Russian hacking ring had stolen more than a billion online credentials sent Internet users scrambling to reset their passwords. But how did this group manage to amass such a huge collection — and is it really as bad as it sounds?

First, you should know that this wasn't some "Mission Impossible"-style hack, an action-packed dive through layers of cybersecurity. It was a bit more like training an army of burglars to go try the knobs on every door in town.

1:47

The "CyberVor" hackers, to use the name given them by Hold Security, the Milwaukee firm that discovered the hack, used what's called a botnet to do their dirty deeds. A botnet is a network of computers infected with some form of virus or malware that lets a hacker control or monitor them to varying degrees. Botnets that don't call attention to themselves can grow to tens or hundreds of thousands of devices.

Computers in CyberVor's botnet performed a simple task: Whenever they visited a website, any website, they would do a quick test to see if the site was vulnerable to an attack called a SQL (pronounced "sequel") injection.

SQL what now?

SQL injections are a decade-old hack that is easy to protect against, but even easier to perform. The attacker looks for places on the website that can be typed into — search boxes, comment fields, etc. — and fills them with code telling the site to list all its stored email addresses, credit card data, and that sort of thing. It's simple to prevent this: The website's creators just have to make sure those fields can't use certain characters, or access a separate system from the main databases.

But even a minor mistake will be found by persistent, automated attacks. Like a burglar that tries every door and window on your home every day, you can keep him out by locking them. But if you forget just one time, he's in.

CyberVor's botnet checks every website it encounters, which surely must have added up to many thousands every day. And whenever it found one with the door unlocked, it let the hackers know. They would then go in and give the vulnerability the personal attention needed to extract all that data.

So how bad is it?

It's difficult to gauge the severity of the problem, but a database that big is almost certain to yield quite a few hits. With hundreds of thousands of sites affected, there's a fairly good chance a piece or two of your personal data is in the mix, and it's easy for hackers to put two and two together.

Image:  Internet users browse websites
Internet users browse websites Kin Cheung / AP file

"Anyone that reuses passwords becomes a bigger target — same password in two different breaches? You're the lowest hanging fruit," said Joe Siegrist, CEO and co-founder of password management system LastPass.

Even those of you with clever ways to pick passwords for each site aren't safe. "If you're the kind of person that has a 'system' to make a different password for each site... your password is broken everywhere," Siegrist warns.

What's more, the sites from which the data were taken are, according to Hold Security, still vulnerable. That means other cybercriminals will be on the watch for a list of them, or perhaps will use a similar technique to gather data of their own.

The "Good" News

This hack may be big in scale, but the data stolen is fairly innocuous compared with what was taken from the Target data breach last year. Stealing thousands or millions of credit card details with names and home addresses means a potential for billions of dollars in damages, should those cards be put to use — people need to talk with their banks, identify fraudulent charges, and perhaps work to undo a damaged credit rating.

5:11

By comparison, most can protect themselves from CyberVor-type breaches by changing their password on the sites they use regularly — the work of perhaps half an hour. And be sure to set up two-factor authentication if it's available (this makes sure logins and account changes have to be OK'd by a second device of yours).

That won't stop CyberVor from using the stolen emails to set up spammy Twitter accounts, however, which is reportedly what the hackers are doing with the huge data trove. They could also easily use the botnet to send out spam emails when it's not pinging websites for vulnerabilities, notes security expert Brian Krebs.

The take-away here is basically that while this may be the largest collection of illegally acquired Internet credentials, it likely isn't as dangerous as recent hacks that put people in immediate financial danger. You'll likely be OK if you do as experts have had cause to advise several times in 2014 alone: Change your password!