Security researchers have expressed concern over the claim that more than 4.5bn user credentials including 1.2bn unique usernames and passwords have been amassed by a Russian cybercriminal gang.
Security researchers from Kaspersky, Symantec and University College London have questioned the news reported on Tuesday that private security firm Hold Security had identified a Russian cybercriminal gang called CyberVor, which had amassed a database of more than 4.5bn stolen records, including 1.2bn unique usernames and passwords belonging to 500m email addresses.
Cybersecurity experts are concerned that Hold Security has not yet made the data public or available for confirmation by users. “We’ve had very little concrete information released,” said David Emm, senior researcher with security firm Kaspersky, talking to the Guardian.
“I’m inclined to take it with a pinch of salt for now.”
CyberVor raided over 420,000 websites to collect the stolen user information, Hold Security said, initially offering a commercial “breach notification” service requiring consumers and companies to see if they had been affected – but only if they paid a fee.
The company still offers its commercial security services as part of the report, and later said it would allow consumers to check free of charge whether their usernames or passwords had been stolen.
“Nothing has been released by an established security company – I personally haven’t come across Hold Security before – and we’ve had no information on the companies affected, or whether they’re still vulnerable,” said Emm. “There’s just what seems to me to be a pretty vague claim of the largest security breach to date.
‘Plausible but we need more data’
“There hasn’t been very much data released yet on exactly what these guys found,” explained Dr Brad Karp, a reader in computer systems and networks at the computer science department at University College London who researches internet and systems security.
Hold Security allowed an unnamed independent security expert to verify the database of stolen user details at the request of the New York Times.
“It’s plausible that they have found this many credentials, but whether they actually have or not we would need to see more data,” said Karp. “We’ve been told independent experts have verified it, but we haven’t seen what they’ve verified and we don’t know who they are.”
Candid Wueest, principal threat researcher with security firm Symantec agreed.
“Without having actual fact, it’s hard to say whether it happened like they explained or not,” said Wueest. “It is possible, but at the moment it’s speculation by one source and we haven’t seen any secondary proof, so at the moment we have to unfortunately wait and see how it evolves.”
‘It could be too early’
Companies affected by the breach have been notified, according to Hold Security.
“I haven’t seen any major companies go public and urge users to change their passwords,” explained Emm who had been in contact with colleagues in the security industry in other countries who feel similarly about the report. “It could be too early, but the coverage across the world on this I would have expected something a bit more concrete and some notifications from companies by now.”
Wueest explained that it is possible that it is just too soon for large companies affected by the breach to notify users, needing to fix the bugs that allowed hackers to steal the data in the first place before asking for mass password changes.
“You would expect that at least some of the passwords would have been hashed and encrypted, so if it’s 1.2bn hashed passwords it’s not as interesting as 1.2bn clear text passwords,” explained Wueest.
“There’s a big chance some of those passwords might not be active anymore or might just be test or throw away passwords – as seen in the Adobe breach with accounts simply made to download the latest software trials using disposable credentials,” he said.
‘Web security and software is sufficiently bad’
“The important takeaway is that it is possible due to the state of web security and software is sufficiently bad that a find like this is entirely conceivable,” said Karp.
Whether verified or not, the security leak is yet another nail in the coffin for usernames and passwords as the security device of choice. Users are still advised to maintain strong passwords that are not easy to guess and that do not include real English words, but other solutions must be found.
“This latest breach also offers more evidence that passwords are losing their effectiveness as a protection mechanism,” said Tom Burton, director of KPMG’s cyber security practice. “Individuals cannot possibly remember a different password for each website they use, let alone passwords with strength.”
“You’ve got no real control as a consumer when a breach happens at an online provider you use, but you can minimise damage by making sure you use a unique password for each account,” explained Emm.
‘Not the worst thing in the world to write down a complex password’
Other methods could boost protection, including using another item of security, like a number-generating key fob or application on a mobile phone, called two-factor authentication.
An alternative solution is to move to another device or mechanism for proving identity. Wueest explained that one potential solution would to be to use a mobile phone that confirmed a login via a push notification or text message that the user would verify to allow entry into a website or computer system.
In the meantime, Emm says “it’s not the worst thing in the world to write down a complex password while at home”.
“As long as you keep it away from prying eyes and separate from your smartphone or computer – the cybercriminal is not going to come through the front door,” he said.
Security experts are advising that users keep aware of developments with the CyberVor breach, but that immediately changing all their passwords is not yet the appropriate action.
Users should keep a close eye on their accounts, especially those with financial details attached, and heed warnings from companies who have been affected if they urge users to change their passwords in the near future.