Russian Gang Amasses Over a Billion Internet Passwords

I wonder how many of these username/password and email/password pairs come from websites, such as news outlets and social sites, where there's really not much to protect. The danger is that people may use the same authentication pairs for banking etc. In a sense, all those non-critical uses increase the attack surface for the critical uses. Maybe non-critical websites should set maximum-complexity rules for passwords, vs minimum-complexity rules for passwords for critical websites. But that's too complicated, I know.

 

http://krebsonsecurity.com/2014/08/qa-on-the-reported-theft-of-1-2b-email-accounts/

 

It's hard to tell the bad guys from the good guys

Maybe Hold Security is just fronting for the hackers

 

Not likely given Krebs' take on him and his character. Now is this about drumming up business? Perhaps that is a factor on the way the information has been released and the lack of details on sites hacked and on the research methodology + data. The fact remains however that this is a good kick in the rear for everyone to get serious about their password maintenance...

 

That is true. But the data is tainted, and profiting from it is dishonorable, as I see it.

 

There is a kick in the rear every 2 months. What will be necessary to finally change behaviours?

 

I want to thank @dogbite for posting this here too: https://www.wilderssecurity.com/threads/russian-gang-stole-1-2-billion-net-passwords.366869/

As I know some members (including me) that don't visit the Privacy section everyday

The ones that also should get a kick in the rear are the ones that are unable to protect our passwords etc.. properly.

 

@SweX You're welcome.

Actually what I find annoying is the amount of articles out all without information on which websites have been affected.

 

Yep I haven't found any either, and I will of course not throw away $120 to find out.

 

So how would changing passwords help if the Websites are still vulnerable to SQL injection?

 

If someone is worried, just change password to those sites you care for (will take a few minutes maybe) but just paying these guys will take just as much time (and then you still hasn't gained the benefit of changing the password).

 

If Brian Krebs says it's true (and I had serious doubts), then I must accept it. But as others have said, I do not like the "method" that Hold Security is employing to "help" us determine if any of us has suffered a breach. I'm going to wait for more info to come from this before I do much...

 

Maybe it's just me, but I get bad vibes from him, and his attitude.

In contrast to Bruce Schneier, for example.

 

Not so easy to do every time another revelation.
: (
I can either use the internet or spend all the time changing passwords.

 

The real trick is to set up a routine where you change your passwords. IOWs, don't wait for a breach announcement, just change them regularly on YOUR schedule.

 

Umm, yeah:

http://grahamcluley.com/2014/08/cybervor-pay/

Suffice to say I am profoundly skeptical, and do not think I should consider Krebs trustworthy any more. As for Hold Security: yeah, I'm really going to give them my password hashes. Like hell.

Edit: to be clear I've never heard of this Cluley fellow before, but the password submission part of the site? That's real:

https://identity.holdsecurity.com/Submit/

Also clicking on the link to it makes you implicitly agree to some license terms. Hmm. Really clean-looking, huh?

 

FYI, Mr Cluley worked for Sophos before he became an "Independent Security Analyst". He also write for WeLiveSecurity sometimes. When he worked at Sophos he wrote regulary on Sophos "naked security" blog.

http://www.welivesecurity.com/author/gcluley/#more

 

http://www.cnet.com/news/why-you-shouldnt-be-scared-by-the-largest-data-breach/

 

Interesting reading. I don't think it's the "freakiest security story since Heartbleed Tuesday". When I first read about this, before I found this very interesting thread, I was skeptical. We seem to have a lot of gloom and doom stories these days. What a terrible headline "Russian gang has amassed over a billion passwords." Sounds a lot like McDonald's one billion served. I'm not one to panic over these things. I'm certainly not going out and change all of my passwords, I have a lot of them. Maybe later if more pertinent information is released. Right now I have no idea who was compromised, if I am affected or what was really was amassed by this Russian gang.

Now we have this company who discovers this terrible security breach charging folks who want to know if they are affected. I wonder how many will bite. I am sure some will, will that company then in turn inform there users they have been compromised?

 

https://krebsonsecurity.com/2014/08/qa-on-the-reported-theft-of-1-2b-email-accounts/

I don't really have any issues with Krebs.

If anything, I think Holds is profiting from using Kreb's name.

 

Speaking of Schneier, here's his take:

https://www.schneier.com/blog/archives/2014/08/over_a_billion_.html

 

So it seems that Alex is associated with Brian's criminal connections