This article is from the source 'bbc' and was first published or seen on . It last changed over 40 days ago and won't be checked again for changes.
You can find the current article at its original source at http://www.bbc.co.uk/news/technology-28654613
The article has changed 6 times. There is an RSS feed of changes available.
| Version 2 | Version 3 |
|---|---|
| Russia gang hacks 1.2 billion usernames and passwords | Russia gang hacks 1.2 billion usernames and passwords |
| (about 5 hours later) | |
| A Russian group has hacked 1.2 billion usernames and passwords belonging to more than 500 million email addresses, according to Hold Security - a US firm specialising in discovering breaches. | A Russian group has hacked 1.2 billion usernames and passwords belonging to more than 500 million email addresses, according to Hold Security - a US firm specialising in discovering breaches. |
| Hold Security described the hack as the "largest data breach known to date". | Hold Security described the hack as the "largest data breach known to date". |
| It claimed the stolen information came from more than 420,000 websites, including "many leaders in virtually all industries across the world". | It claimed the stolen information came from more than 420,000 websites, including "many leaders in virtually all industries across the world". |
| Hold Security did not give details of the companies affected by the hack. | Hold Security did not give details of the companies affected by the hack. |
| "They didn't just target large companies; instead, they targeted every site that their victims visited," Hold Security said in its report. | "They didn't just target large companies; instead, they targeted every site that their victims visited," Hold Security said in its report. |
| "With hundreds of thousands of sites affected, the list includes many leaders in virtually all industries across the world, as well as a multitude of small or even personal websites." | "With hundreds of thousands of sites affected, the list includes many leaders in virtually all industries across the world, as well as a multitude of small or even personal websites." |
| The New York Times, which first reported the findings, said that on its request "a security expert not affiliated with Hold Security analysed the database of stolen credentials and confirmed it was authentic". | The New York Times, which first reported the findings, said that on its request "a security expert not affiliated with Hold Security analysed the database of stolen credentials and confirmed it was authentic". |
| "Another computer crime expert who had reviewed the data, but was not allowed to discuss it publicly, said some big companies were aware that their records were among the stolen information," the paper said. | "Another computer crime expert who had reviewed the data, but was not allowed to discuss it publicly, said some big companies were aware that their records were among the stolen information," the paper said. |
| The paper added: "Hold Security would not name the victims, citing nondisclosure agreements and a reluctance to name companies whose sites remained vulnerable." | The paper added: "Hold Security would not name the victims, citing nondisclosure agreements and a reluctance to name companies whose sites remained vulnerable." |
| The Wall Street Journal later revealed that Hold intended to offer website owners the ability to check whether they had been affected, but only if they paid a fee. | |
| The firm initially posted a message on its site saying it would charge $120 (£71) a month for the "breach notification service", however the details have since been replaced with a message saying "coming soon!". | |
| Multi-pronged attack? | Multi-pronged attack? |
| Hold Security, which has previously reported about hacks on Adobe and Target, said it took more than seven months of research to discover the extent of the latest hack. | Hold Security, which has previously reported about hacks on Adobe and Target, said it took more than seven months of research to discover the extent of the latest hack. |
| The firm claimed the gang initially acquired databases of stolen credentials from fellow hackers on the black market. | The firm claimed the gang initially acquired databases of stolen credentials from fellow hackers on the black market. |
| "These databases were used to attack e-mail providers, social media, and other websites to distribute spam to victims and install malicious redirections on legitimate systems," Hold Security said. | "These databases were used to attack e-mail providers, social media, and other websites to distribute spam to victims and install malicious redirections on legitimate systems," Hold Security said. |
| The hackers also got access to data from botnets - a network of computers infected with malware to trigger online fraud. | The hackers also got access to data from botnets - a network of computers infected with malware to trigger online fraud. |
| Hold Security said the botnets helped the hacking group - which it dubbed CyberVor - identify more than 400,000 websites that were vulnerable to cyber attacks. | Hold Security said the botnets helped the hacking group - which it dubbed CyberVor - identify more than 400,000 websites that were vulnerable to cyber attacks. |
| "The CyberVors used these vulnerabilities to steal data from these sites' databases," the firm said. | "The CyberVors used these vulnerabilities to steal data from these sites' databases," the firm said. |
| "To the best of our knowledge, they mostly focused on stealing credentials, eventually ending up with the largest cache of stolen personal information, totalling over 1.2 billion unique sets of e-mails and passwords." | "To the best of our knowledge, they mostly focused on stealing credentials, eventually ending up with the largest cache of stolen personal information, totalling over 1.2 billion unique sets of e-mails and passwords." |
| Password tips | |
| The University of Surrey's Prof Alan Woodward suggests the following rules should be observed when picking a new password. | |
| Don't choose one obviously associated with you | |
| Hackers can find out a lot about you from social media so if they are targeting you specifically and you choose, say, your pet's name you're in trouble. | |
| Choose words that don't appear in a dictionary | |
| Hackers can precalculate the encrypted forms of whole dictionaries and easily reverse engineer your password. | |
| Use a mixture of unusual characters | |
| You can use a word or phrase that you can easily remember but where characters are substituted, eg, Myd0gha2B1g3ars! | |
| Have different passwords for different sites and systems | |
| If hackers compromise one system you do not want them having the key to unlock all your other accounts. | |
| Keep them safely | |
| With multiple passwords it is tempting to write them down and carry them around with you. Better to use some form of secure password vault on your phone. |