Tag Archives: Alex Holden

Breach Brief – Gmail, Hotmail, Yahoo Email

gmailIts likely that you have either a Gmail, Hotmail or Yahoo email account. Its also likely that it has been compromised.  According to Reuters over 270 million stolen Yahoo! Mail, Gmail, Hotmail and other email account credentials are floating around in Russia’s cyber criminal underground. Email credentials are your username and password.

These stolen email credentials were discovered by Hold Security. Researchers discovered a Russian hacker going by the name of “the Collector,” saying that he was ready to give away the credentials.  “The Collector” offered the credentials to cybercrime expert Alex Holden for free just for the publicity. Holden previously uncovered breaches at Adobe, JP Morgan and Target.

The total haul of the theft was estimated to be over one billion records but the security company eliminated duplicates lowering the total number of  credentials to just 272.3 million.

Yahoo mailMost of the credentials were associated with the Mail.ru service. Email credentials from Germany and China were also found among the stash.  However a significant number belonged to U.S. email providers. The remaining stolen credentials breakdown as follows, Yahoo Mail, 40 million credentials stolen; Microsoft Hotmail, 33 million; and Gmail 24 million. It’s not known if any of these accounts have actually been breached.

The most frightening detail of this breach is that many of the emails are linked to employees of some of the largest U.S. banking, manufacturing, and retail companies. Hold Security has informed the affected companies and organizations.

Hotmail-logoIf you have a Gmail, Yahoo or Hotmail account you should immediately change your password. Experts also recommend that you set up two-step verification on your email accounts. Gmail, Yahoo and Hotmail all offer two factor authentication that sends a second password to your smartphone when you sign in.

Officials at Yahoo and Google have yet to issue a statement about the breach. Microsoft said through a spokesperson that the stolen credentials are an unfortunate reality but that it had measures in place to detect account compromise.

 

Billions of Passwords Stolen-They got you!

ID-10096463

Courtey of digitalart

A Russian criminal gang has stolen 1.2 billion passwords and user names and 500 million email addresses.  According to Milwaukee based security firm, Hold Security, the passwords were stolen from over 400,000 businesses and personal websites. In comparison the breach of Target stores last year compromised only 40 million names. The websites include smaller businesses and stores as well as many larger businesses. Hold Security founder Alex Holden stated that many of the larger businesses are “household names.”

The group that carried out the theft is known as “CyberVor” or cyber thief in Russian. The group is suspected of being located in a small city in south central Russia. According to the New York Times the group is made up of less than a dozen young men who are close personally, not just virtually. Their computer servers are also thought to be in Russia.

The New York Times, enlisted the help of an outside security expert who, after analyzing the database of stolen credentials, confirmed it’s authenticity. A second cyber crime expert also reviewed the data. This expert is not permitted to publicly elaborate  on the theft but said major companies were compromised and are aware their records have been stolen. 

“Hackers did not just target U.S. companies, they targeted any website they could get ranging from Fortune 500 companies to very small websites. And most of these sites are still vulnerable.”” said Holden. 

According to Holden the gang makes money by emailing spam for  phony miracle weight loss products. “It’s really not that impactful to the individuals, and that’s why they were under the radar for so long,” Holden said. “They’ve ignored financial information almost completely.”

The ability of the criminals to collect so many passwords is indicative of the weak security of many websites regardless of size.

Holden pointed out that the stolen passwords may not have come from hacking but from the criminals buying user names and passwords on the black market. The huge number of stolen credentials multiplied this year because of  automated programs that travel the Internet looking for vulnerable websites. 

Many experts agree that the sale of the information on the black market could be very lucrative. Although credit cards are easily canceled personal information such as email addresses, Social Security numbers or password could potentially be used for identity theft. Many people have a habit of using the same passwords on multiple sites. Because of this habit criminals can test stolen credentials on websites where valuable information may be vulnerable. This includes banks and brokerage firms.

Hold Security has refused to release the names of the websites affected because of confidentiality agreements.

Breaking It Down

We’ve seen this before. Again and again hackers have stolen information from websites and again and again the consumer is left in the dark. No one is saying what websites are affected except to say they are “household names.” So lets do some math; 1.2 billion user names and passwords are stolen. Over 400,000 websites are compromised. More than 500 million email addresses are collected. The answer is simple; they got you! If you read this and do not immediately change all your passwords you’re either stupid or just don’t care. You need to be aware that many personal websites were also compromised. That includes your Facebook page, LinkedIn and many others. I have encouraged black people to use powerful pass phrases. I continue to do that. I have told you before to regularly change your pass phrases; at least every six months. Yeah, I know its a hassle. So if it bothers you that much then use a password manager. You can find them on Apple App store and Google Play. Many are free so whats your excuse? Use them! All those user names and passwords are going to be sold. And now that the word is out they will be sold soon, before they lose their value. See, although the Russian gang may not be interested in financial information, others that buy these passwords are looking to get into bank accounts, your bank account.  All African-Americans need to act on this information immediately. Why? Because we have a bad habit of being the last to know and the last to act. Yeah I said it! We need to be more pro-active and stop dragging our feet. Get busy and change your passwords to pass phrases. Don’t wait.

For more information please see;

Washington Post – Russian Hackers Amass  Over a Billion Internet Passwords

CNET – Hackers Nab 1.2 Billion Passwords in Colossal Breach, Says Security Firm

CNBC – Russian Gang Said to Amass More Than a Billion Stolen Internet Credentials